Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-31675

Summary
Assigner-drupal
Assigner Org ID-2c85b837-eb8b-40ed-9d74-228c62987387
Published At-31 Mar, 2025 | 21:35
Updated At-29 Apr, 2025 | 15:45
Rejected At-
Credits

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:drupal
Assigner Org ID:2c85b837-eb8b-40ed-9d74-228c62987387
Published At:31 Mar, 2025 | 21:35
Updated At:29 Apr, 2025 | 15:45
Rejected At:
▼CVE Numbering Authority (CNA)
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.

Affected Products
Vendor
The Drupal AssociationDrupal
Product
Drupal core
Collection URL
https://www.drupal.org/project/drupal
Repo
https://git.drupalcode.org/project/drupal
Default Status
unaffected
Versions
Affected
  • From 8.0.0 before 10.3.14 (semver)
  • From 10.4.0 before 10.4.5 (semver)
  • From 11.0.0 before 11.0.13 (semver)
  • From 11.1.0 before 11.1.5 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-63CAPEC-63 Cross-Site Scripting (XSS)
CAPEC ID: CAPEC-63
Description: CAPEC-63 Cross-Site Scripting (XSS)
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Samuel Mortenson (samuel.mortenson)
remediation developer
Benji Fisher (benjifisher)
remediation developer
Bram Driesen (bramdriesen)
remediation developer
Alex Bronstein (effulgentsia)
remediation developer
Jen Lampton (jenlampton)
remediation developer
Lee Rowlands (larowlan)
remediation developer
Dave Long (longwave)
remediation developer
Drew Webber (mcdruid)
remediation developer
Joseph Zhao (pandaski)
remediation developer
Adam G-H (phenaproxima)
remediation developer
Samuel Mortenson (samuel.mortenson)
remediation developer
Jess (xjm)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.drupal.org/sa-core-2025-004
N/A
Hyperlink: https://www.drupal.org/sa-core-2025-004
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:mlhess@drupal.org
Published At:31 Mar, 2025 | 22:15
Updated At:02 Jun, 2025 | 16:25

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CPE Matches
The Drupal Association
drupal
>>drupal>>Versions from 8.0.0(inclusive) to 10.3.14(exclusive)
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
The Drupal Association
drupal
>>drupal>>Versions from 10.4.0(inclusive) to 10.4.5(exclusive)
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
The Drupal Association
drupal
>>drupal>>Versions from 11.0.0(inclusive) to 11.0.13(exclusive)
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
The Drupal Association
drupal
>>drupal>>Versions from 11.1.0(inclusive) to 11.1.5(exclusive)
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Secondarymlhess@drupal.org
CWE-79Primarynvd@nist.gov
CWE ID: CWE-79
Type: Secondary
Source: mlhess@drupal.org
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.drupal.org/sa-core-2025-004mlhess@drupal.org
Vendor Advisory
Hyperlink: https://www.drupal.org/sa-core-2025-004
Source: mlhess@drupal.org
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

9238Records found
CVE-2021-41165
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-0.09% / 26.26%
||
7 Day CHG~0.00%
Published-17 Nov, 2021 | 19:15
Updated-04 Aug, 2024 | 02:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTML comments vulnerability allowing to execute JavaScript code

CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

Action-Not Available
Vendor-ckeditorckeditorThe Drupal AssociationOracle Corporation
Product-application_expressbanking_apispeoplesoft_enterprise_peopletoolsbanking_digital_experiencedrupalckeditorcommerce_guided_searchwebcenter_portalagile_product_lifecycle_managementckeditor4
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-41164
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-0.05% / 15.42%
||
7 Day CHG~0.00%
Published-17 Nov, 2021 | 00:00
Updated-04 Aug, 2024 | 02:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML

CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

Action-Not Available
Vendor-ckeditorckeditorFedora ProjectOracle CorporationThe Drupal Association
Product-application_expressbanking_apispeoplesoft_enterprise_peopletoolsbanking_digital_experiencefedoradrupalckeditoragile_plmcommerce_guided_searchwebcenter_portalckeditor4
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-10909
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.61% / 68.93%
||
7 Day CHG~0.00%
Published-16 May, 2019 | 21:36
Updated-04 Aug, 2024 | 22:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

Action-Not Available
Vendor-sensiolabsn/aThe Drupal Association
Product-drupalsymfonyn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3130
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.05% / 16.85%
||
7 Day CHG~0.00%
Published-02 Apr, 2025 | 21:10
Updated-29 Apr, 2025 | 13:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Obfuscate - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-029

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Obfuscate allows Stored XSS.This issue affects Obfuscate: from 0.0.0 before 2.0.1.

Action-Not Available
Vendor-The Drupal Association
Product-obfuscateObfuscate
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13286
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 11.03%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 20:13
Updated-10 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SVG Embed - Moderately critical - Cross site scripting - SA-CONTRIB-2024-050

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal SVG Embed allows Cross-Site Scripting (XSS).This issue affects SVG Embed: from 0.0.0 before 2.1.2.

Action-Not Available
Vendor-The Drupal Association
Product-SVG Embed
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13294
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 11.03%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 20:17
Updated-10 Jan, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal POST File allows Cross-Site Scripting (XSS).This issue affects POST File: from 0.0.0 before 1.0.2.

Action-Not Available
Vendor-The Drupal Association
Product-POST File
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13252
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.07% / 21.07%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 18:58
Updated-04 Jun, 2025 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TacJS - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-016

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal TacJS allows Cross-Site Scripting (XSS).This issue affects TacJS: from 0.0.0 before 6.5.0.

Action-Not Available
Vendor-tacjs_projectThe Drupal Association
Product-tacjsTacJS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13245
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.07% / 21.07%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 18:51
Updated-07 Jul, 2025 | 15:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CKEditor 4 LTS - WYSIWYG HTML editor allows Cross-Site Scripting (XSS).This issue affects CKEditor 4 LTS - WYSIWYG HTML editor: from 1.0.0 before 1.0.1.

Action-Not Available
Vendor-cksourceThe Drupal Association
Product-ckeditor_4CKEditor 4 LTS - WYSIWYG HTML editor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13238
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.07% / 21.07%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 18:33
Updated-04 Jun, 2025 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Typogrify - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-002

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Typogrify allows Cross-Site Scripting (XSS).This issue affects Typogrify: from 0.0.0 before 1.3.0.

Action-Not Available
Vendor-typogrify_projectThe Drupal Association
Product-typogrifyTypogrify
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13273
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 11.03%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 19:26
Updated-09 Jan, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open Social - Moderately critical - Cross Site Scripting, Denial of Service - SA-CONTRIB-2024-037

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Open Social allows Cross-Site Scripting (XSS).This issue affects Open Social: from 0.0.0 before 12.3.8, from 12.4.0 before 12.4.5, from 13.0.0 before 13.0.0-alpha11.

Action-Not Available
Vendor-The Drupal Association
Product-Open Social
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13287
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 11.03%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 20:13
Updated-10 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Views SVG Animation - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-051

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Views SVG Animation allows Cross-Site Scripting (XSS).This issue affects Views SVG Animation: from 0.0.0 before 1.0.1.

Action-Not Available
Vendor-The Drupal Association
Product-Views SVG Animation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13289
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 11.03%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 20:15
Updated-10 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cookiebot + GTM - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-055

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Cookiebot + GTM allows Cross-Site Scripting (XSS).This issue affects Cookiebot + GTM: from 0.0.0 before 1.0.18.

Action-Not Available
Vendor-The Drupal Association
Product-Cookiebot + GTM
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13237
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.07% / 21.07%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 18:15
Updated-04 Jun, 2025 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Entity (fieldable files) - Moderately critical - Cross Site Scripting, Access bypass - SA-CONTRIB-2024-001

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal File Entity (fieldable files) allows Cross-Site Scripting (XSS).This issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.38.

Action-Not Available
Vendor-file_entity_projectThe Drupal Association
Product-file_entityFile Entity (fieldable files)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12393
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.12% / 32.08%
||
7 Day CHG+0.04%
Published-09 Dec, 2024 | 23:20
Updated-02 Jun, 2025 | 16:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

Action-Not Available
Vendor-The Drupal Association
Product-drupalDrupal Core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-24728
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.60% / 68.61%
||
7 Day CHG-0.05%
Published-16 Mar, 2022 | 00:00
Updated-23 Apr, 2025 | 18:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-site Scripting in CKEditor4

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.

Action-Not Available
Vendor-ckeditorckeditorOracle CorporationFedora ProjectThe Drupal Association
Product-application_expresspeoplesoft_enterprise_peopletoolsfinancial_services_trade-based_anti_money_launderingcommerce_merchandisingfinancial_services_analytical_applications_infrastructurefedoradrupalckeditorfinancial_services_behavior_detection_platformckeditor4
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2007-4064
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.47% / 63.89%
||
7 Day CHG~0.00%
Published-30 Jul, 2007 | 17:00
Updated-07 Aug, 2024 | 14:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.2, and 4.7.x before 4.7.7, (1) allow remote attackers to inject arbitrary web script or HTML via "some server variables," including PHP_SELF; and (2) allow remote authenticated administrators to inject arbitrary web script or HTML via custom content type names.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13669
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.53% / 66.08%
||
7 Day CHG~0.00%
Published-11 Feb, 2022 | 15:25
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

Action-Not Available
Vendor-The Drupal Association
Product-drupalCore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13688
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.32% / 54.14%
||
7 Day CHG~0.00%
Published-11 Jun, 2021 | 15:08
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.

Action-Not Available
Vendor-The Drupal Association
Product-drupalDrupal Core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13673
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.25% / 47.82%
||
7 Day CHG-0.04%
Published-11 Feb, 2022 | 15:35
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting.

Action-Not Available
Vendor-The Drupal Association
Product-entity_embedEntity Embed
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13666
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.34% / 55.81%
||
7 Day CHG~0.00%
Published-05 May, 2021 | 13:50
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

Action-Not Available
Vendor-The Drupal Association
Product-drupalDrupal Core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-5096
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.52% / 65.67%
||
7 Day CHG~0.00%
Published-13 Sep, 2011 | 19:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Flag Content module 5.x-2.x before 5.x-2.10 for Drupal allows remote attackers to inject arbitrary web script or HTML via the Reason parameter.

Action-Not Available
Vendor-khalid_baheyeldinn/aThe Drupal Association
Product-drupalflag_contentn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-8765
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 51.58%
||
7 Day CHG~0.00%
Published-14 Oct, 2014 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in the Project Issue File Review module (PIFR) module 6.x-2.x before 6.x-2.17 for Drupal allow (1) remote attackers to inject arbitrary web script or HTML via a crafted patch, which triggers a PIFR client to test the patch and return the results to the PIFR_Server test results page or (2) remote authenticated users with the "manage PIFR environments" permission to inject arbitrary web script or HTML via vectors involving a PIFR_Server administrative page.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-project_issue_file_reviewn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-4518
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 57.18%
||
7 Day CHG~0.00%
Published-31 Dec, 2009 | 19:00
Updated-17 Sep, 2024 | 03:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Insert Node module 5.x before 5.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via an inserted node.

Action-Not Available
Vendor-mark_burtonn/aThe Drupal Association
Product-insertnodedrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-4602
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 54.59%
||
7 Day CHG~0.00%
Published-12 Jan, 2010 | 17:00
Updated-16 Sep, 2024 | 23:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Randomizer module 5.x through 5.x-1.0 and 6.x through 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-randomizerdrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-3779
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.52% / 65.67%
||
7 Day CHG~0.00%
Published-26 Oct, 2009 | 17:00
Updated-07 Aug, 2024 | 06:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in vCard 5.x before 5.x-1.4 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to the addition of the theme_vcard function to a theme and the use of default content.

Action-Not Available
Vendor-stefan_auditorn/aThe Drupal Association
Product-vcarddrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-8744
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-3.5||LOW
EPSS-0.21% / 43.21%
||
7 Day CHG~0.00%
Published-13 Oct, 2014 | 18:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Nivo Slider module 7.x-2.x before 7.x-1.11 for Drupal allows remote authenticated users with the "administer nivo slider" permission to inject arbitrary web script or HTML via an image title.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-nivo_slidern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11023
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-21.55% / 95.50%
||
7 Day CHG-0.44%
Published-29 Apr, 2020 | 00:00
Updated-30 Jul, 2025 | 01:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-02-13||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Potential XSS vulnerability in jQuery

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Action-Not Available
Vendor-jQuery (OpenJS Foundation)Oracle CorporationFedora ProjectThe Drupal AssociationTenable, Inc.NetApp, Inc.Debian GNU/Linux
Product-blockchain_platformcommunications_element_managerh410sh500ecommunications_eagle_application_processorh410c_firmwaredebian_linuxstoragetek_acslssnap_creator_frameworkh300s_firmwareh300efedorabanking_enterprise_collectionscommunications_analyticsrest_data_serviceshyperion_financial_reportingh700eweblogic_serverhci_baseboard_management_controlleroncommand_insightfinancial_services_revenue_management_and_billing_analyticsbusiness_intelligenceh700scloud_backuplog_correlation_engineapplication_expresscommunications_session_report_managerh700e_firmwaresiebel_mobilecloud_insights_storage_workload_security_agenthealthcare_translational_researchactive_iq_unified_managerjqueryjd_edwards_enterpriseone_orchestratorpeoplesoft_enterprise_human_capital_management_resourcessnapcenter_serverjd_edwards_enterpriseone_toolsh410s_firmwareprimavera_gatewaycommunications_session_route_managercommunications_operations_monitorh700s_firmwarefinancial_services_regulatory_reporting_for_de_nederlandsche_bankwebcenter_sitesh500s_firmwarestoragetek_tape_analytics_sw_toolcommunications_services_gatekeepeross_support_toolshealth_sciences_informmax_datacommunications_interactive_session_recorderdrupalh300sh410ch500sh500e_firmwareoncommand_system_managerbanking_platformapplication_testing_suiteh300e_firmwarejQueryJQuery
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-4207
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 57.18%
||
7 Day CHG~0.00%
Published-04 Dec, 2009 | 19:00
Updated-16 Sep, 2024 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Webform module 5.x before 5.x-2.7 and 6.x before 6.x-2.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a submission.

Action-Not Available
Vendor-nathan_haugn/aThe Drupal Association
Product-webformdrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-4516
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 53.54%
||
7 Day CHG~0.00%
Published-31 Dec, 2009 | 19:00
Updated-17 Sep, 2024 | 03:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the FAQ Ask module 5.x and 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-nanwichn/aThe Drupal Association
Product-faq_askdrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11022
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-2.57% / 84.95%
||
7 Day CHG~0.00%
Published-29 Apr, 2020 | 00:00
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential XSS vulnerability in jQuery

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Action-Not Available
Vendor-jQuery (OpenJS Foundation)Tenable, Inc.The Drupal AssociationopenSUSEOracle CorporationNetApp, Inc.Fedora ProjectDebian GNU/Linux
Product-peoplesoft_enterprise_peopletoolsfinancial_services_data_foundationretail_back_officeinsurance_allocation_manager_for_enterprise_profitabilityfinancial_services_hedge_management_and_ifrs_valuationsh410c_firmwareh300s_firmwarehospitality_simphonystoragetek_acslsfinancial_services_loan_loss_forecasting_and_provisioningsnapcenterpolicy_automation_for_mobile_devicescommunications_application_session_controllerjqueryfedorafinancial_services_profitability_managementoncommand_system_managerh500s_firmwareleapfinancial_services_liquidity_risk_measurement_and_managementh300ebanking_digital_experiencefinancial_services_asset_liability_managementinsurance_accounting_analyzerretail_returns_managementfinancial_services_regulatory_reporting_for_us_federal_reservepolicy_automation_connector_for_siebeldebian_linuxweblogic_serverfinancial_services_liquidity_risk_managementinsurance_data_foundationsnap_creator_frameworkfinancial_services_market_risk_measurement_and_managementh410ccommunications_diameter_signaling_router_idih\h410spolicy_automationh300sfinancial_services_price_creation_and_discoveryh300e_firmwareblockchain_platformhealthcare_foundationmax_datafinancial_services_analytical_applications_infrastructurefinancial_services_balance_sheet_planningh500eh500e_firmwaredrupalh700eenterprise_manager_ops_centerapplication_testing_suitecommunications_services_gatekeeperfinancial_services_basel_regulatory_capital_internal_ratings_based_approachfinancial_services_data_governance_for_us_regulatory_reportinginsurance_insbridge_rating_and_underwritingretail_customer_management_and_segmentation_foundationoncommand_insightagile_product_lifecycle_management_for_processfinancial_services_basel_regulatory_capital_basiccommunications_billing_and_revenue_managementh500ssiebel_ui_frameworkfinancial_services_regulatory_reporting_for_european_banking_authorityhospitality_materials_controllog_correlation_enginefinancial_services_institutional_performance_analyticsenterprise_session_border_controllercommunications_webrtc_session_controllerfinancial_services_data_integration_hubh410s_firmwarecommunications_eagle_application_processorh700s_firmwarejdeveloperagile_product_supplier_collaboration_for_processfinancial_services_analytical_applications_reconciliation_frameworkh700e_firmwareh700sfinancial_services_funds_transfer_pricingjQuery
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-3157
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-3.5||LOW
EPSS-0.34% / 55.66%
||
7 Day CHG~0.00%
Published-10 Sep, 2009 | 18:00
Updated-17 Sep, 2024 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Calendar module 6.x before 6.x-2.2 for Drupal allows remote authenticated users, with "create new content types" privileges, to inject arbitrary web script or HTML via the title of a content type.

Action-Not Available
Vendor-karen_stevensonn/aThe Drupal Association
Product-drupalcalendarn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-1575
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.72% / 71.59%
||
7 Day CHG~0.00%
Published-06 May, 2009 | 17:00
Updated-07 Aug, 2024 | 05:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows remote attackers to inject arbitrary web script or HTML via crafted UTF-8 byte sequences before the Content-Type meta tag, which are treated as UTF-7 by Internet Explorer 6 and 7.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-2076
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-3.5||LOW
EPSS-0.18% / 39.29%
||
7 Day CHG~0.00%
Published-16 Jun, 2009 | 19:00
Updated-16 Sep, 2024 | 22:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Views 6.x before 6.x-2.6, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via (1) exposed filters in the Views UI administrative interface and in the (2) view name parameter in the define custom views feature. NOTE: vector 2 is only exploitable by users with administer views permissions.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-viewsdrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-2079
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-3.5||LOW
EPSS-0.34% / 55.66%
||
7 Day CHG~0.00%
Published-16 Jun, 2009 | 19:00
Updated-17 Sep, 2024 | 03:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the administrative page interface in Taxonomy manager 5.x before 5.x-1.2 and 6.x before 6.x-1.1, a module for Drupal, allows remote authenticated users, with administer taxonomy privileges or the ability to use free tagging to add taxonomy terms, to inject arbitrary web script or HTML via (1) vocabulary names, (2) synonyms, and (3) term names.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-taxonomy_managerdrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-5022
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 49.43%
||
7 Day CHG~0.00%
Published-22 Jul, 2014 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary web script or HTML via vectors involving forms with an Ajax-enabled textfield and a file field.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-0818
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-3.5||LOW
EPSS-0.32% / 54.78%
||
7 Day CHG~0.00%
Published-05 Mar, 2009 | 02:00
Updated-07 Aug, 2024 | 04:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the taxonomy_theme_admin_table_builder function (taxonomy_theme_admin.inc) in Taxonomy Theme module before 5.x-1.2, a module for Drupal, allows remote authenticated users with the "administer taxonomy" permission, or the ability to create pages when tagging is enabled, to inject arbitrary web script or HTML via the Vocabulary name (name parameter) to index.php. NOTE: some of these details are obtained from third party information.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaltaxonomy_theme_modulen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-1035
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 57.18%
||
7 Day CHG~0.00%
Published-20 Mar, 2009 | 18:00
Updated-07 Aug, 2024 | 04:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Tasklist module 5.x-1.x before 5.x-1.3 and 5.x-2.x before 5.x-2.0-alpha1, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via Cascading Style Sheets (CSS).

Action-Not Available
Vendor-jake_gordonn/aThe Drupal Association
Product-tasksdrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-8092
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-7.6||HIGH
EPSS-0.04% / 12.29%
||
7 Day CHG~0.00%
Published-15 Aug, 2025 | 16:26
Updated-21 Aug, 2025 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
COOKiES Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-092

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.16.

Action-Not Available
Vendor-cookies_consent_management_projectThe Drupal Association
Product-cookies_consent_managementCOOKiES Consent Management
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-8362
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.20%
||
7 Day CHG~0.00%
Published-15 Aug, 2025 | 16:27
Updated-21 Aug, 2025 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal GoogleTag Manager allows Cross-Site Scripting (XSS).This issue affects GoogleTag Manager: from 0.0.0 before 1.10.0.

Action-Not Available
Vendor-googletag_manager_projectThe Drupal Association
Product-googletag_managerGoogleTag Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-1344
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 57.18%
||
7 Day CHG~0.00%
Published-20 Apr, 2009 | 14:06
Updated-17 Sep, 2024 | 03:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Localization client module 5.x before 5.x-1.2 and 6.x before 6.x-1.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via input to the translation functionality.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-localization_clientdrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-7716
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.03% / 8.57%
||
7 Day CHG~0.00%
Published-21 Jul, 2025 | 16:36
Updated-26 Aug, 2025 | 20:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Real-time SEO for Drupal - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-091

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Real-time SEO for Drupal allows Cross-Site Scripting (XSS).This issue affects Real-time SEO for Drupal: from 2.0.0 before 2.2.0.

Action-Not Available
Vendor-real-time_seo_projectThe Drupal Association
Product-real-time_seoReal-time SEO for Drupal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-7715
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.03% / 8.16%
||
7 Day CHG~0.00%
Published-21 Jul, 2025 | 16:36
Updated-26 Aug, 2025 | 20:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Block Attributes - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-090

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Block Attributes allows Cross-Site Scripting (XSS).This issue affects Block Attributes: from 0.0.0 before 1.1.0, from 2.0.0 before 2.0.1.

Action-Not Available
Vendor-block_attributes_projectThe Drupal Association
Product-block_attributesBlock Attributes
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-5682
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.19%
||
7 Day CHG~0.00%
Published-26 Jun, 2025 | 13:33
Updated-09 Jul, 2025 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Klaro Cookie & Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-080

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Klaro Cookie & Consent Management allows Cross-Site Scripting (XSS).This issue affects Klaro Cookie & Consent Management: from 0.0.0 before 3.0.7.

Action-Not Available
Vendor-klaro_cookie_\&_consent_management_projectThe Drupal Association
Product-klaro_cookie_\&_consent_managementKlaro Cookie & Consent Management
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-6677
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.03% / 8.57%
||
7 Day CHG~0.00%
Published-26 Jun, 2025 | 13:34
Updated-11 Jul, 2025 | 14:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Paragraphs table - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-084

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Paragraphs table allows Cross-Site Scripting (XSS).This issue affects Paragraphs table: from 2.0.0 before 2.0.5.

Action-Not Available
Vendor-paragraphs_table_projectThe Drupal Association
Product-paragraphs_tableParagraphs table
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2009-0817
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-3.5||LOW
EPSS-0.35% / 56.44%
||
7 Day CHG~0.00%
Published-05 Mar, 2009 | 02:00
Updated-07 Aug, 2024 | 04:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Protected Node module 5.x before 5.x-1.4 and 6.x before 6.x-1.5, a module for Drupal, allows remote authenticated users with "administer site configuration" permissions to inject arbitrary web script or HTML via the Password page info field, which is not properly handled by the protected_node_enterpassword function in protected_node.module.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-protected_node_moduledrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-6341
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-55.27% / 97.97%
||
7 Day CHG~0.00%
Published-26 Mar, 2019 | 18:04
Updated-04 Aug, 2024 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004

In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Action-Not Available
Vendor-Debian GNU/LinuxFedora ProjectThe Drupal Association
Product-debian_linuxfedoradrupalDrupal core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-48914
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-8.6||HIGH
EPSS-0.07% / 22.45%
||
7 Day CHG~0.00%
Published-13 Jun, 2025 | 15:41
Updated-18 Jun, 2025 | 15:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-075

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.15.

Action-Not Available
Vendor-The Drupal Association
Product-cookies_consent_managementCOOKiES Consent Management
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-48915
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-8.6||HIGH
EPSS-0.07% / 22.45%
||
7 Day CHG~0.00%
Published-13 Jun, 2025 | 15:41
Updated-18 Jun, 2025 | 15:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-076

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.15.

Action-Not Available
Vendor-The Drupal Association
Product-cookies_consent_managementCOOKiES Consent Management
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-48447
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-7.1||HIGH
EPSS-0.07% / 21.40%
||
7 Day CHG~0.00%
Published-11 Jun, 2025 | 14:37
Updated-20 Jun, 2025 | 14:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lightgallery - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-069

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Lightgallery allows Cross-Site Scripting (XSS).This issue affects Lightgallery: from 0.0.0 before 1.6.0.

Action-Not Available
Vendor-lightgallery_projectThe Drupal Association
Product-lightgalleryLightgallery
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-48920
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-7.3||HIGH
EPSS-0.06% / 19.43%
||
7 Day CHG~0.00%
Published-13 Jun, 2025 | 15:40
Updated-08 Jul, 2025 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
etracker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-074

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal etracker allows Cross-Site Scripting (XSS).This issue affects etracker: from 0.0.0 before 3.1.0.

Action-Not Available
Vendor-etrackerThe Drupal Association
Product-etrackeretracker
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 184
  • 185
  • Next
Details not found