CVE-2025-31675

CVE-2025-31675: Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004

Vendor Drupal

Product Drupal core

Weakness CWE-79 · XSS

Published March 31, 2025

Last update April 2, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. It also affects the Drupal 7 module from versions 7.x-1.0 through 7.x-1.12.

Key dates

Disclosure timeline

March 31, 2025 CVE published

April 2, 2026 Record updated

Identifiers

CVE CVE-2025-31675

CWE CWE-79

Affected versions

Vendor Drupal

Product Drupal core

Affected ≥ 8.0.0 and < 10.3.14

Vendor Drupal

Product Drupal core

Affected ≥ 10.4.0 and < 10.4.5

Vendor Drupal

Product Drupal core

Affected ≥ 11.0.0 and < 11.0.13

Vendor Drupal

Product Drupal core

Affected ≥ 11.1.0 and < 11.1.5

Vendor Drupal

Product Link

Affected ≥ 7.x-1.0 and ≤ 7.x-1.12