CVE-2022-25271
Description
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal core's form API vulnerability allows attackers to inject disallowed values or overwrite data in certain contributed/custom modules' forms.
Vulnerability
Drupal core's form API contains an improper input validation vulnerability affecting certain contributed or custom modules' forms. This allows an attacker to inject disallowed values or overwrite data. The vulnerability affects Drupal core versions prior to the fix. [1]
Exploitation
An attacker can exploit this vulnerability by submitting crafted input to a vulnerable form. No authentication is required if the form is publicly accessible. The attack complexity is low, but the vulnerable forms are uncommon. [1]
Impact
Successful exploitation could allow an attacker to alter critical or sensitive data. The scope of impact depends on the module's data, potentially leading to data integrity compromise or unauthorized overwriting of data. [1]
Mitigation
The Drupal project has released security updates to address this vulnerability. Users should update to the latest Drupal core version. For specific version details, refer to the Drupal security advisory. [1]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 9.3.0, < 9.3.6 | 9.3.6 |
drupal/corePackagist | >= 8.0.0, < 9.2.13 | 9.2.13 |
drupal/corePackagist | >= 7.0.0, < 7.88 | 7.88 |
Affected products
3- osv-coords2 versions
>= 7.0.0, < 7.88.0+ 1 more
- (no CPE)range: >= 7.0.0, < 7.88.0
- (no CPE)range: >= 9.3.0, < 9.3.6
- Drupal/Corev5Range: 9.3.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-fmfv-x8mp-5767ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2022-25271ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4ghsaWEB
- www.drupal.org/sa-core-2022-003ghsaWEB
News mentions
0No linked articles in our index yet.