Umami Analytics - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-109
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS).This issue affects Umami Analytics: from 0.0.0 before 1.0.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal Umami Analytics module allows XSS via the 'administer umami analytics' permission lacking the 'restrict access' flag, fixed in 1.0.1.
Vulnerability
CVE-2025-10931 describes a cross-site scripting (XSS) vulnerability in the Drupal Umami Analytics module [1]. The root cause is that the permission 'administer umami analytics' lacks the 'restrict access' flag, which should alert administrators that this permission is potentially dangerous [2]. This permission allows an administrator to insert an arbitrary JavaScript file on every page of the site [2].
Exploitation
The vulnerability is mitigated by the fact that an attacker must have a role with the 'administer umami analytics' permission to exploit it [2]. Therefore, the attack surface is limited to privileged users such as site administrators or users assigned roles with that permission. The attacker could inject malicious JavaScript code that would execute in the context of any user visiting the site.
Impact
Successful exploitation could lead to cross-site scripting (XSS), allowing an attacker to perform actions such as stealing session cookies, defacing the site, or redirecting users to malicious sites [1][2]. The CVSS vector and severity have not yet been provided by NVD [1].
Mitigation
The Drupal Security Team has released a fix in Umami Analytics 1.0.1 (and 2.0.-beta3) [2]. Users are advised to upgrade to the latest version and review which roles and users have the 'administer umami analytics' permission, permission to ensure only trusted users are granted that permission [2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/umami_analyticsPackagist | < 1.0.1 | 1.0.1 |
Affected products
2- Range: <1.0.1 >=0.0.0
- Drupal/Umami Analyticsv5Range: 0.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-jxp8-4jw5-5xjcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-10931ghsaADVISORY
- www.drupal.org/sa-contrib-2025-109ghsaWEB
News mentions
0No linked articles in our index yet.