CVE-2025-13080
published 2025-11-18CVE-2025-13080: Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0…
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.28%
19.8th percentile
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 10.5.0 < 10.5.6 | 10.5.6 |
| drupal | core | >= 11.0.0 < 11.1.9 | 11.1.9 |
| drupal | core | >= 11.2.0 < 11.2.8 | 11.2.8 |
| drupal | core | >= 8.0.0 < 10.4.9 | 10.4.9 |
| drupal | drupal | >= 10.5.0 < 10.5.6 | 10.5.6 |
| drupal | drupal | >= 11.0.0 < 11.1.9 | 11.1.9 |
| drupal | drupal | >= 11.2.0 < 11.2.8 | 11.2.8 |
| drupal | drupal | >= 8.0.0 < 10.4.9 | 10.4.9 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 10.5.0 < 10.5.6 | 10.5.6 |
| drupal | drupal_core | >= 11.0.0 < 11.1.9 | 11.1.9 |
| drupal | drupal_core | >= 11.2.0 < 11.2.8 | 11.2.8 |
| drupal | drupal_core | >= 8.0.0 < 10.4.9 | 10.4.9 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Drupal core allows Forceful Browsing
ghsa·2025-11-18
CVE-2025-13080 [LOW] CWE-754 Drupal core allows Forceful Browsing
Drupal core allows Forceful Browsing
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
OSV
Drupal core allows Forceful Browsing
osv·2025-11-18
CVE-2025-13080 [LOW] Drupal core allows Forceful Browsing
Drupal core allows Forceful Browsing
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
OSV
CVE-2025-13080: Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden
osv·2025-11-12
CVE-2025-13080 CVE-2025-13080: Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden
Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden.
This functionality can be abused in a way that may cause Drupal to cache response data that it should not. This can lead to legitimate requests receiving inappropriate cached responses (cache poisoning).
This could be exploited in various ways:
* Broken rendering of some pages
* Unstyled or malformatted pages
* Adverse impacts on client-side functionality
Changes are being made in the underlying library which will mitigate this problem, but in the meantime Drupal core has been hardened to protect against this vulnerability. The authors of the underlying library do not believe it is a source of vulnerabilities in other systems. Drupal's us
Drupal
Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005
vendor_drupal·2025-11-12
CVE-2025-13080 [MEDIUM] Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005
Title: Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005
Vulnerability Type: Denial of Service
Description: Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden. This functionality can be abused in a way that may cause Drupal to cache response data that it should not. This can lead to legitimate requests receiving inappropriate cached responses (cache poisoning). This could be exploited in various ways: Broken rendering of some pages Unstyled or malformatted pages Adverse impacts on client-side functionality Changes are being made in the underlying library which will mitigate this problem, but in the meantime Drupal core has been hardened to protect against this vulnerab
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-18
Published