CVE-2022-25273
Description
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal core's form API is vulnerable to improper input validation in certain contributed/custom module forms, potentially allowing attackers to inject disallowed values or overwrite sensitive data.
CVE-2022-25273 describes an improper input validation vulnerability in Drupal core's Form API. The flaw affects forms built by contributed or custom modules, where the API fails to properly validate certain inputs. This can allow an attacker to inject values that should be disallowed or overwrite existing data [2][3].
Exploitation requires a Drupal site running an affected version (8.0.0 to 9.2.17, or 9.3.0 to 9.3.11) and a form from a contributed or custom module that is susceptible to this validation gap. The attacker does not need special privileges if the form is publicly accessible, but the specific forms affected are uncommon [3].
The impact varies depending on the form's function. In worst-case scenarios, an attacker could alter critical or sensitive data, such as modifying user permissions or site configuration. The advisory notes that no core forms are known to be vulnerable, but custom modules may expose sensitive operations [2][3].
The Drupal Security Team released patches in versions 9.2.18 and 9.3.12. Site administrators should update immediately. The vulnerability is not covered by Drupal Steward, so proactive patching is essential. No workarounds are mentioned; updating is the recommended mitigation [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.0.0, < 9.2.18 | 9.2.18 |
drupal/corePackagist | >= 9.3.0, < 9.3.12 | 9.3.12 |
Affected products
3- osv-coords2 versions
>= 8.0.0, < 9.2.18+ 1 more
- (no CPE)range: >= 8.0.0, < 9.2.18
- (no CPE)range: >= 8.0.0, < 9.2.18
- Drupal/Corev5Range: 9.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-g36h-4jr6-qmm9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25273ghsaADVISORY
- www.drupal.org/sa-core-2022-008ghsaWEB
News mentions
0No linked articles in our index yet.