CVE-2025-71310 LOW

CVE-2025-71310

Vendor Backdropcms
Product GDPR cookies module for Backdrop CMS
Weakness CWE-80 · XSS · basic
Published May 26, 2026
Last update May 26, 2026

CVSS base score

1.8/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L

What the vulnerability does

01Description

The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service" and a site must have added a YouTube service as configuration.

Key dates

02Disclosure timeline

May 26, 2026 CVE published
May 26, 2026 Record updated