CVE-2025-31675

CWE-79Cross-site Scripting (XSS)6 documents5 sources
Severity
5.4MEDIUM
EPSS
0.2%
top 54.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Drupal Drupal CoreDrupal DrupalDrupal Core+1 more
Timeline
PublishedMar 31
Latest updateApr 1

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. It also affects the Drupal 7 module from versions 7.x-1.0 through 7.x-1.12.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

Packagistdrupal/core8.0.010.3.14+3
CVEListV5drupal/drupal_core8.0.010.3.14+3
NVDdrupal/drupal8.0.010.3.14+3
CVEListV5drupal/link7.x-1.07.x-1.12

🔴Vulnerability Details

4
OSV
Drupal Core Cross-Site Scripting (XSS) Vulnerability2025-04-01
GHSA
Drupal Core Cross-Site Scripting (XSS) Vulnerability2025-04-01
CVEList
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-0042025-03-31
OSV
CVE-2025-31675: Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS)2025-03-19

📋Vendor Advisories

1
Drupal
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-0042025-03-19
CVE-2025-31675 (MEDIUM CVSS 5.4) | Improper Neutralization of Input Du | cvebase.io