CVE-2025-9551

MEDIUM

Drupal Protected Pages <1.8.0 - Auth Bypass

Title source: llm

Description

Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Protected Pages allows Brute Force.This issue affects Protected Pages: from 0.0.0 before 1.8.0, from 7.X-1.0 before 7.X-2.5.

References (3)

[Patch, Vendor Advisory] https://www.drupal.org/sa-contrib-2025-101

[Third Party Advisory] https://docs.herodevs.com/drupal/release-notes/protected-pages

[Third Party Advisory] https://d7es.tag1.com/security-advisories/protected-pages-moderately-critical-access-bypass-sa-contrib-2025-101

Scores

CVSS v3 6.5

EPSS 0.0007

EPSS Percentile 20.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-307

Status published

Products (3)

Drupal/Protected Pages 0.0.0 - 1.8.0

Drupal/Protected Pages 7.x-1.0 - 7.x-2.5

protected_pages_project/protected_pages < 8.x-1.8

Published Oct 10, 2025

Tracked Since Feb 18, 2026