CVE-2025-3057
published 2025-03-31CVE-2025-3057: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This…
PriorityP425medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.27%
18.2th percentile
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 10.4.0 < 10.4.3 | 10.4.3 |
| drupal | core | >= 11.0.0 < 11.0.12 | 11.0.12 |
| drupal | core | >= 11.1.0 < 11.1.3 | 11.1.3 |
| drupal | core | >= 8.0.0 < 10.3.13 | 10.3.13 |
| drupal | drupal | >= 10.4.0 < 10.4.3 | 10.4.3 |
| drupal | drupal | >= 11.0.0 < 11.0.12 | 11.0.12 |
| drupal | drupal | >= 11.1.0 < 11.1.3 | 11.1.3 |
| drupal | drupal | >= 8.0.0 < 10.3.13 | 10.3.13 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 10.4.0 < 10.4.3 | 10.4.3 |
| drupal | drupal_core | >= 11.0.0 < 11.0.12 | 11.0.12 |
| drupal | drupal_core | >= 11.1.0 < 11.1.3 | 11.1.3 |
| drupal | drupal_core | >= 8.0.0 < 10.3.13 | 10.3.13 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Drupal
Drupal core - Critical - Cross site scripting - SA-CORE-2025-001
vendor_drupal·2025-02-19
CVE-2025-3057 [HIGH] Drupal core - Critical - Cross site scripting - SA-CORE-2025-001
Title: Drupal core - Critical - Cross site scripting - SA-CORE-2025-001
Vulnerability Type: Cross site scripting
Description: Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability (XSS). Sites are encouraged to update. There are not yet public documented steps to exploit this, but there may be soon given the nature of this issue. This issue is being protected by Drupal Steward . Sites that use Drupal Steward are already protected, but are still encouraged to upgrade in the near future.
Solution: Install the latest version: If you use Drupal 10.3.x, update to Drupal 10.3.13 If you use Drupal 10.4.x, update to Drupal 10.4.3 If you use Drupal 11.0.x, update to Drupal 11.0.12 If you use Drupal 11.1.x, up
OSV
Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages
osv·2025-04-01
CVE-2025-3057 [MEDIUM] Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages
Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
GHSA
Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages
ghsa·2025-04-01
CVE-2025-3057 [MEDIUM] CWE-79 Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages
Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
OSV
CVE-2025-3057: Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability (XSS)
osv·2025-02-19
CVE-2025-3057 CVE-2025-3057: Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability (XSS)
Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability (XSS).
Sites are encouraged to update. There are not yet public documented steps to exploit this, but there may be soon given the nature of this issue.
This issue is being protected by [Drupal Steward](https://www.drupal.org/steward). Sites that use Drupal Steward are already protected, but are still encouraged to upgrade in the near future.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-31
Published