CVE-2025-31675
MEDIUMDrupal 8.0.0-10.3.13, 10.4.0-10.4.4, 11.0.0-11.1.4 & Link 7.x-1.0-7.x-1.11 - XSS
Title source: llmDescription
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. It also affects the Drupal 7 module from versions 7.x-1.0 through 7.x-1.12.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
https://www.drupal.org/sa-core-2025-004
Third Party Advisory third-party-advisory
https://www.herodevs.com/vulnerability-directory/cve-2025-31675
Third Party Advisory third-party-advisory
https://d7es.tag1.com/security-advisories/link-moderately-critical-cross-site-scripting-sa-core-2025-004
Scores
CVSS v3
5.4
EPSS
0.0008
EPSS Percentile
23.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (7)
drupal/core
8.0.0 - 10.3.14Packagist
drupal/drupal
8.0.0 - 10.3.14
Drupal/Drupal core
10.4.0 - 10.4.5
Drupal/Drupal core
11.0.0 - 11.0.13
Drupal/Drupal core
11.1.0 - 11.1.5
Drupal/Drupal core
8.0.0 - 10.3.14
Drupal/Link
7.x-1.0 - 7.x-1.12
Published
Mar 31, 2025
Tracked Since
Feb 18, 2026