CVE-2025-11570
MEDIUMdrupal-pattern-lab/unified-twig-extensions - Cross-Site Scripting in Link Function
Title source: llmDescription
Versions of the package drupal-pattern-lab/unified-twig-extensions from 0.0.0 are vulnerable to Cross-site Scripting (XSS) due to insufficient filtering of data. **Note:** This is exploitable only if the code is executed outside of Drupal; the function is intended to be shared between Drupal and Pattern Lab. The package drupal-pattern-lab/unified-twig-extensions is unmaintained, the fix for this issue exists in version 1.1.1 of [drupal/unified_twig_ext](https://www.drupal.org/project/unified_twig_ext)
References (3)
Core 3
Core References
Various Sources
https://www.drupal.org/sa-contrib-2023-041
Third Party Advisory
https://security.snyk.io/vuln/SNYK-PHP-DRUPALPATTERNLABUNIFIEDTWIGEXTENSIONS-8400877
Scores
CVSS v3
4.6
EPSS
0.0020
EPSS Percentile
9.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
drupal-pattern-lab/unified-twig-extensions
0Packagist
n/a/drupal-pattern-lab/unified-twig-extensions
0.0.0
Published
Oct 10, 2025
Tracked Since
Feb 18, 2026