CVE-2025-11570 MEDIUM

CVE-2025-11570

Vendor N/A
Product drupal-pattern-lab/unified-twig-extensions
Weakness CWE-79 · XSS
Published October 10, 2025
Last update October 10, 2025

CVSS base score

4.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:P

What the vulnerability does

01Description

Versions of the package drupal-pattern-lab/unified-twig-extensions from 0.0.0 are vulnerable to Cross-site Scripting (XSS) due to insufficient filtering of data. **Note:** This is exploitable only if the code is executed outside of Drupal; the function is intended to be shared between Drupal and Pattern Lab. The package drupal-pattern-lab/unified-twig-extensions is unmaintained, the fix for this issue exists in version 1.1.1 of [drupal/unified_twig_ext](https://www.drupal.org/project/unified_twig_ext)

Explanation of Vulnerability in Simple Terms

02Summary

The Unified Twig Extensions module for Drupal contains a cross-site scripting (XSS) vulnerability in how it processes user input within Twig templates. An attacker with low-level site access can inject malicious scripts that execute in other users' browsers when they view affected pages. The vulnerability requires user interaction—the victim must visit a page containing the injected payload.

What an attacker can do

03Attacker Capabilities

Inject malicious JavaScript that runs in other users' browsers when they view affected pages.

Potential impact on your site

04Site Impact

Users' sessions and data could be compromised if they visit pages containing attacker-injected scripts.

Conditions required to exploit

05Prerequisites

Attacker needs low-level Drupal user account; victim must visit a page with the injected payload.

Key dates

06Disclosure timeline

October 10, 2025 CVE published
October 10, 2025 Record updated