CVE-2025-13081

CWE-915CWE-502Deserialization of Untrusted Data6 documents5 sources
Severity
5.9MEDIUM
EPSS
0.1%
top 70.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Drupal Drupal CoreDrupal DrupalDrupal Core
Timeline
PublishedNov 18

Description

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 0.7 | Impact: 5.2

Affected Packages3 packages

Packagistdrupal/core8.0.010.4.9+3
CVEListV5drupal/drupal_core8.0.010.4.9+3
NVDdrupal/drupal8.0.010.4.9+3

🔴Vulnerability Details

4
GHSA
Drupal core allows Object Injection2025-11-18
CVEList
Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-0062025-11-18
OSV
Drupal core allows Object Injection2025-11-18
OSV
CVE-2025-13081: Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site2025-11-12

📋Vendor Advisories

1
Drupal
Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-0062025-11-12
CVE-2025-13081 (MEDIUM CVSS 5.9) | Improperly Controlled Modification | cvebase.io