Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-10931

Summary
Assigner-drupal
Assigner Org ID-2c85b837-eb8b-40ed-9d74-228c62987387
Published At-29 Oct, 2025 | 23:13
Updated At-30 Oct, 2025 | 14:15
Rejected At-
Credits

Umami Analytics - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-109

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS).This issue affects Umami Analytics: from 0.0.0 before 1.0.1.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:drupal
Assigner Org ID:2c85b837-eb8b-40ed-9d74-228c62987387
Published At:29 Oct, 2025 | 23:13
Updated At:30 Oct, 2025 | 14:15
Rejected At:
▼CVE Numbering Authority (CNA)
Umami Analytics - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-109

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS).This issue affects Umami Analytics: from 0.0.0 before 1.0.1.

Affected Products
Vendor
The Drupal AssociationDrupal
Product
Umami Analytics
Collection URL
https://www.drupal.org/project/umami_analytics
Repo
https://git.drupalcode.org/project/umami_analytics
Default Status
unaffected
Versions
Affected
  • From 0.0.0 before 1.0.1 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-63CAPEC-63 Cross-Site Scripting (XSS)
CAPEC ID: CAPEC-63
Description: CAPEC-63 Cross-Site Scripting (XSS)
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Pierre Rudloff (prudloff)
remediation developer
Ivica Puljic (pivica)
coordinator
Damien McKenna (damienmckenna)
coordinator
Juraj Nemec (poker10)
coordinator
Pierre Rudloff (prudloff)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.drupal.org/sa-contrib-2025-109
N/A
Hyperlink: https://www.drupal.org/sa-contrib-2025-109
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.13.8LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Version: 3.1
Base score: 3.8
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:mlhess@drupal.org
Published At:30 Oct, 2025 | 00:15
Updated At:03 Dec, 2025 | 20:11

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS).This issue affects Umami Analytics: from 0.0.0 before 1.0.1.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.13.8LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 3.8
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
CPE Matches
umami
umami
>>umami_analytics>>Versions before 1.0.1(exclusive)
cpe:2.3:a:umami:umami_analytics:*:*:*:*:*:drupal:*:*
Weaknesses
CWE IDTypeSource
CWE-79Secondarymlhess@drupal.org
CWE ID: CWE-79
Type: Secondary
Source: mlhess@drupal.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.drupal.org/sa-contrib-2025-109mlhess@drupal.org
Patch
Vendor Advisory
Hyperlink: https://www.drupal.org/sa-contrib-2025-109
Source: mlhess@drupal.org
Resource:
Patch
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

89Records found
CVE-2025-3900
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.17% / 37.83%
||
7 Day CHG~0.00%
Published-23 Apr, 2025 | 17:07
Updated-20 Jun, 2025 | 16:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Colorbox - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-041

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS).This issue affects Colorbox: from 0.0.0 before 2.1.3.

Action-Not Available
Vendor-colorbox_projectThe Drupal Association
Product-colorboxColorbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3902
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.18% / 39.87%
||
7 Day CHG~0.00%
Published-23 Apr, 2025 | 17:08
Updated-17 Jun, 2025 | 00:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Block Class - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-043

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Block Class allows Cross-Site Scripting (XSS).This issue affects Block Class: from 4.0.0 before 4.0.1.

Action-Not Available
Vendor-four_kitchensThe Drupal Association
Product-block_classBlock Class
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3901
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.18% / 39.87%
||
7 Day CHG~0.00%
Published-23 Apr, 2025 | 17:07
Updated-18 Jun, 2025 | 21:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bootstrap Site Alert - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-042

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Bootstrap Site Alert allows Cross-Site Scripting (XSS).This issue affects Bootstrap Site Alert: from 0.0.0 before 1.13.0, from 3.0.0 before 3.0.4.

Action-Not Available
Vendor-bootstrap_site_alert_projectThe Drupal Association
Product-bootstrap_site_alertBootstrap Site Alert
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3733
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.5||MEDIUM
EPSS-0.23% / 45.66%
||
7 Day CHG~0.00%
Published-16 Apr, 2025 | 16:30
Updated-02 Sep, 2025 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
baguetteBox.js - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-034

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal baguetteBox.Js allows Cross-Site Scripting (XSS).This issue affects baguetteBox.Js: from 0.0.0 before 2.0.4, from 3.0.0 before 3.0.1.

Action-Not Available
Vendor-baguettebox.js_projectThe Drupal Association
Product-baguettebox.jsbaguetteBox.js
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31696
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.17% / 37.83%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 21:55
Updated-02 Sep, 2025 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RapiDoc OAS Field Formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal RapiDoc OAS Field Formatter allows Cross-Site Scripting (XSS).This issue affects RapiDoc OAS Field Formatter: from 0.0.0 before 1.0.1.

Action-Not Available
Vendor-chapterthreeThe Drupal Association
Product-rapidoc_oas_field_formatterRapiDoc OAS Field Formatter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31695
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.17% / 37.83%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 21:52
Updated-02 Sep, 2025 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Link field display mode formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Link field display mode formatter allows Cross-Site Scripting (XSS).This issue affects Link field display mode formatter: from 0.0.0 before 1.6.0.

Action-Not Available
Vendor-upstreamableThe Drupal Association
Product-link_field_display_mode_formatterLink field display mode formatter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31675
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.27% / 50.31%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 21:35
Updated-02 Jun, 2025 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.

Action-Not Available
Vendor-The Drupal Association
Product-drupalDrupal core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31682
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-4.8||MEDIUM
EPSS-0.17% / 37.78%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 21:40
Updated-02 Jun, 2025 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Google Tag - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-011

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Google Tag allows Cross-Site Scripting (XSS).This issue affects Google Tag: from 0.0.0 before 1.8.0, from 2.0.0 before 2.0.8.

Action-Not Available
Vendor-google_tag_projectThe Drupal Association
Product-google_tagGoogle Tag
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31687
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.17% / 37.83%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 21:44
Updated-28 Aug, 2025 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SpamSpan filter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-016

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal SpamSpan filter allows Cross-Site Scripting (XSS).This issue affects SpamSpan filter: from 0.0.0 before 3.2.1.

Action-Not Available
Vendor-drowlThe Drupal Association
Product-spamspan_filterSpamSpan filter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31697
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.17% / 37.83%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 21:55
Updated-02 Sep, 2025 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Formatter Suite - Moderately critical - Cross site scripting - SA-CONTRIB-2025-026

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Formatter Suite allows Cross-Site Scripting (XSS).This issue affects Formatter Suite: from 0.0.0 before 2.1.0.

Action-Not Available
Vendor-formatter_suite_projectThe Drupal Association
Product-formatter_suiteFormatter Suite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31679
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.18% / 39.87%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 21:38
Updated-04 Jun, 2025 | 15:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Ignition Error Pages allows Cross-Site Scripting (XSS).This issue affects Ignition Error Pages: from 0.0.0 before 1.0.4.

Action-Not Available
Vendor-ignition_error_pages_projectThe Drupal Association
Product-ignition_error_pagesIgnition Error Pages
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3130
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.14% / 34.13%
||
7 Day CHG~0.00%
Published-02 Apr, 2025 | 21:10
Updated-29 Apr, 2025 | 13:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Obfuscate - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-029

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Obfuscate allows Stored XSS.This issue affects Obfuscate: from 0.0.0 before 2.0.1.

Action-Not Available
Vendor-The Drupal Association
Product-obfuscateObfuscate
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3057
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.35% / 57.22%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 21:33
Updated-15 Apr, 2025 | 14:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drupal core - Critical - Cross site scripting - SA-CORE-2025-001

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

Action-Not Available
Vendor-The Drupal Association
Product-drupalDrupal core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-7603
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.27% / 49.76%
||
7 Day CHG~0.00%
Published-15 Jan, 2019 | 22:00
Updated-17 Sep, 2024 | 02:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Search Autocomplete

In Drupal's 3rd party module search auto complete prior to versions 7.x-4.8 there is a Cross Site Scripting vulnerability. This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc.). The module doesn't sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability can be exploited by any user allowed to create one of the autocompletion item, for instance, nodes, users, comments.

Action-Not Available
Vendor-search_autocomplete_projectThe Drupal Association
Product-search_autocomplete3rd party module - Search Autocomplete
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-14556
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-4.8||MEDIUM
EPSS-0.03% / 9.62%
||
7 Day CHG~0.00%
Published-14 Jan, 2026 | 18:38
Updated-23 Jan, 2026 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in Drupal 7 Flag Module

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9.

Action-Not Available
Vendor-flag_module_projectThe Drupal Association
Product-flagFlag
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-13979
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.03% / 7.63%
||
7 Day CHG~0.00%
Published-28 Jan, 2026 | 20:00
Updated-12 Feb, 2026 | 19:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mini site - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-117

Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.This issue affects Mini site: from 0.0.0 before 3.0.2.

Action-Not Available
Vendor-salsa.digitalThe Drupal Association
Product-mini_siteMini site
CWE ID-CWE-267
Privilege Defined With Unsafe Actions
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-13983
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.03% / 8.47%
||
7 Day CHG~0.00%
Published-28 Jan, 2026 | 20:02
Updated-29 Jan, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tagify - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-121

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44.

Action-Not Available
Vendor-The Drupal Association
Product-Tagify
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-14557
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 12.06%
||
7 Day CHG+0.01%
Published-14 Jan, 2026 | 18:40
Updated-23 Jan, 2026 | 14:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in Drupal 7 Facebook Pixel Module

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1.

Action-Not Available
Vendor-facebook_pixel_projectThe Drupal Association
Product-facebook_pixelFacebook Pixel
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-13981
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-4.4||MEDIUM
EPSS-0.03% / 8.47%
||
7 Day CHG~0.00%
Published-28 Jan, 2026 | 20:01
Updated-19 Feb, 2026 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AI (Artificial Intelligence) - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-119

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4.

Action-Not Available
Vendor-artificial_intelligence_projectThe Drupal Association
Product-artificial_intelligenceAI (Artificial Intelligence)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-12848
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-7||HIGH
EPSS-0.07% / 21.10%
||
7 Day CHG~0.00%
Published-26 Nov, 2025 | 01:28
Updated-05 Dec, 2025 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS vulnerability when rendering filename in Webform Multiform

Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser. The issue is present in a third-party library and has been addressed in a patch available at  https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module.

Action-Not Available
Vendor-webform_multiple_file_upload_projectThe Drupal Association
Product-webform_multiple_file_uploadDrupal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-12761
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-3.5||LOW
EPSS-0.04% / 11.05%
||
7 Day CHG~0.00%
Published-18 Nov, 2025 | 16:56
Updated-08 Dec, 2025 | 14:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple multi step form - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-116

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Site Scripting (XSS).This issue affects Simple multi step form: from 0.0.0 before 2.0.0.

Action-Not Available
Vendor-simple_multi_step_form_projectThe Drupal Association
Product-simple_multi_step_formSimple multi step form
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-12083
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.06% / 17.08%
||
7 Day CHG+0.01%
Published-29 Oct, 2025 | 23:14
Updated-03 Dec, 2025 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.

Action-Not Available
Vendor-salsa.digitalThe Drupal Association
Product-civictheme_design_systemCivicTheme Design System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-10926
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.06% / 17.08%
||
7 Day CHG+0.01%
Published-29 Oct, 2025 | 23:12
Updated-12 Dec, 2025 | 18:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JSON Field - Critical - Cross Site Scripting - SA-CONTRIB-2025-106

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal JSON Field allows Cross-Site Scripting (XSS).This issue affects JSON Field: from 0.0.0 before 1.5.

Action-Not Available
Vendor-json_field_projectThe Drupal Association
Product-json_fieldJSON Field
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-10927
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.06% / 17.08%
||
7 Day CHG+0.01%
Published-29 Oct, 2025 | 23:13
Updated-12 Dec, 2025 | 17:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Plausible tracking - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-107

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Plausible tracking allows Cross-Site Scripting (XSS).This issue affects Plausible tracking: from 0.0.0 before 1.0.2.

Action-Not Available
Vendor-plausible_tracking_projectThe Drupal Association
Product-plausible_trackingPlausible tracking
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-55635
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.47% / 64.35%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 23:23
Updated-02 Jun, 2025 | 16:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 7.0 before 7.102.

Action-Not Available
Vendor-The Drupal Association
Product-drupalDrupal Core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13673
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.15% / 35.32%
||
7 Day CHG-0.10%
Published-11 Feb, 2022 | 15:35
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting.

Action-Not Available
Vendor-The Drupal Association
Product-entity_embedEntity Embed
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13668
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.22% / 44.65%
||
7 Day CHG-0.15%
Published-11 Feb, 2022 | 15:15
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Access bypass in Drupal Core 8/9

Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

Action-Not Available
Vendor-The Drupal Association
Product-drupalCore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13666
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.51% / 66.05%
||
7 Day CHG~0.00%
Published-05 May, 2021 | 13:50
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

Action-Not Available
Vendor-The Drupal Association
Product-drupalDrupal Core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13669
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.20% / 42.36%
||
7 Day CHG-0.13%
Published-11 Feb, 2022 | 15:25
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

Action-Not Available
Vendor-The Drupal Association
Product-drupalCore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-41960
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-3.8||LOW
EPSS-0.43% / 62.12%
||
7 Day CHG~0.00%
Published-05 Aug, 2024 | 19:59
Updated-19 Sep, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting (XSS) via Relay Hosts Configuration in mailcow: dockerized

mailcow: dockerized is an open source groupware/email suite based on docker. An authenticated admin user can inject a JavaScript payload into the Relay Hosts configuration. The injected payload is executed whenever the configuration page is viewed, enabling the attacker to execute arbitrary scripts in the context of the user's browser. This could lead to data theft, or further exploitation. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-mailcowmailcow
Product-mailcow\mailcow-dockerized
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-22919
Matching Score-4
Assigner-SICK AG
ShareView Details
Matching Score-4
Assigner-SICK AG
CVSS Score-3.8||LOW
EPSS-0.01% / 2.00%
||
7 Day CHG~0.00%
Published-15 Jan, 2026 | 13:08
Updated-23 Jan, 2026 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An attacker with administrative access may inject malicious content into the login page, potentially enabling cross-site scripting (XSS) attacks, leading to the extraction of sensitive data.

Action-Not Available
Vendor-SICK AG
Product-tdc-x401gltdc-x401gl_firmwareTDC-X401GL
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-0473
Matching Score-4
Assigner-OTRS AG
ShareView Details
Matching Score-4
Assigner-OTRS AG
CVSS Score-3.8||LOW
EPSS-0.36% / 57.98%
||
7 Day CHG~0.00%
Published-07 Feb, 2022 | 10:25
Updated-16 Sep, 2024 | 23:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Dynamic field error message is vulnerable to XSS

OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check. When used in the agent interface, malicious code might be exectued in the browser. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.31 and prior versions.

Action-Not Available
Vendor-OTRS AG
Product-otrsOTRS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62412
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-3.8||LOW
EPSS-0.00% / 0.06%
||
7 Day CHG~0.00%
Published-16 Oct, 2025 | 17:54
Updated-23 Oct, 2025 | 12:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LibreNMS alert-rules Cross-Site Scripting Vulnerability

LibreNMS is a community-based GPL-licensed network monitoring system. The alert rule name in the Alerts > Alert Rules page is not properly sanitized, and can be used to inject HTML code. This vulnerability is fixed in 25.10.0.

Action-Not Available
Vendor-LibreNMS
Product-librenmslibrenms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-3076
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.8||LOW
EPSS-0.14% / 34.84%
||
7 Day CHG~0.00%
Published-26 Apr, 2024 | 13:23
Updated-10 Jun, 2025 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MM-email2image <= 0.2.5 - Stored XSS via CSRF

The MM-email2image WordPress plugin through 0.2.5 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

Action-Not Available
Vendor-mmilan81Unknown
Product-mm-email2imageMM-email2image
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13116
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.8||LOW
EPSS-0.03% / 9.52%
||
7 Day CHG~0.00%
Published-27 Jan, 2025 | 06:00
Updated-13 May, 2025 | 21:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Crelly Slider < 1.4.7 - Admin+ Stored XSS

The Crelly Slider WordPress plugin before 1.4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-crelly_slider_projectUnknown
Product-crelly_sliderCrelly Slider
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-3628
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.8||LOW
EPSS-0.22% / 44.04%
||
7 Day CHG~0.00%
Published-07 May, 2024 | 06:00
Updated-09 May, 2025 | 15:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EasyEvent <= 1.0.0 - Admin+ Stored XSS

The EasyEvent WordPress plugin through 1.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Action-Not Available
Vendor-dwallianceUnknownfaktorystudios
Product-easyeventEasyEventeasyevent
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-23677
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-3.8||LOW
EPSS-0.11% / 29.95%
||
7 Day CHG~0.00%
Published-30 Mar, 2023 | 10:58
Updated-19 Feb, 2025 | 21:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress GTmetrix for WordPress Plugin <= 0.4.5 is vulnerable to Cross Site Scripting (XSS)

Reflected Cross-Site Scripting (XSS) vulnerability in GTmetrix GTmetrix for WordPress plugin <= 0.4.5 versions.

Action-Not Available
Vendor-gtmetrixGTmetrix
Product-gtmetrixGTmetrix for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-2972
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-3.8||LOW
EPSS-0.09% / 26.11%
||
7 Day CHG~0.00%
Published-24 Apr, 2024 | 05:00
Updated-08 May, 2025 | 19:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Floating Chat Widget < 3.1.9 - Editor+ Stored XSS

The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.1.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-premioUnknownpremio
Product-floating_chat_widgetFloating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button floating_chat_widget
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-2256
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-3.8||LOW
EPSS-0.88% / 75.07%
||
7 Day CHG~0.00%
Published-01 Sep, 2022 | 19:57
Updated-03 Aug, 2024 | 00:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-single_sign-onkeycloak
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • Next
Details not found