CVE-2025-31675
published 2025-03-31CVE-2025-31675: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This…
PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.43%
34.0th percentile
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. It also affects the Drupal 7 module from versions 7.x-1.0 through 7.x-1.12.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 10.4.0 < 10.4.5 | 10.4.5 |
| drupal | core | >= 11.0.0 < 11.0.13 | 11.0.13 |
| drupal | core | >= 11.1.0 < 11.1.5 | 11.1.5 |
| drupal | core | >= 8.0.0 < 10.3.14 | 10.3.14 |
| drupal | drupal | >= 10.4.0 < 10.4.5 | 10.4.5 |
| drupal | drupal | >= 11.0.0 < 11.0.13 | 11.0.13 |
| drupal | drupal | >= 11.1.0 < 11.1.5 | 11.1.5 |
| drupal | drupal | >= 8.0.0 < 10.3.14 | 10.3.14 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 10.4.0 < 10.4.5 | 10.4.5 |
| drupal | drupal_core | >= 11.0.0 < 11.0.13 | 11.0.13 |
| drupal | drupal_core | >= 11.1.0 < 11.1.5 | 11.1.5 |
| drupal | drupal_core | >= 8.0.0 < 10.3.14 | 10.3.14 |
| drupal | link | 7.x-1.0 – 7.x-1.12 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Drupal Core Cross-Site Scripting (XSS) Vulnerability
osv·2025-04-01
CVE-2025-31675 [LOW] Drupal Core Cross-Site Scripting (XSS) Vulnerability
Drupal Core Cross-Site Scripting (XSS) Vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.
GHSA
Drupal Core Cross-Site Scripting (XSS) Vulnerability
ghsa·2025-04-01
CVE-2025-31675 [LOW] CWE-79 Drupal Core Cross-Site Scripting (XSS) Vulnerability
Drupal Core Cross-Site Scripting (XSS) Vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.
OSV
CVE-2025-31675: Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS)
osv·2025-03-19
CVE-2025-31675 CVE-2025-31675: Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS)
Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS).
This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.
Sites with the Link module disabled or that do not use any link fields are not affected.
Drupal
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004
vendor_drupal·2025-03-19
CVE-2025-31675 [MEDIUM] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004
Title: Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004
Vulnerability Type: Cross Site Scripting
Description: Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS). This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module. Sites with the Link module disabled or that do not use any link fields are not affected.
Solution: Install the latest version: If you use Drupal 10.3.x, update to Drupal 10.3.14 If you use Drupal 10.4.x, update to Drupal 10.4.5 If you use Drupal 11.0.x, update to Drupal 11.0.13 If you use Drupal 11.1.x,
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-31
Published