CVE-2025-11570
Description
Versions of the package drupal-pattern-lab/unified-twig-extensions from 0.0.0 are vulnerable to Cross-site Scripting (XSS) due to insufficient filtering of data. Note: This is exploitable only if the code is executed outside of Drupal; the function is intended to be shared between Drupal and Pattern Lab. The package drupal-pattern-lab/unified-twig-extensions is unmaintained, the fix for this issue exists in version 1.1.1 of drupal/unified_twig_ext
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The drupal-pattern-lab/unified-twig-extensions package is vulnerable to XSS due to insufficient filtering, exploitable only outside Drupal.
Vulnerability
Overview
The package drupal-pattern-lab/unified-twig-extensions is vulnerable to Cross-site Scripting (XSS) due to insufficient filtering of data. The vulnerability affects all versions from 0.0.0. The root cause is that the package does not properly sanitize user-supplied input when rendering Twig templates, allowing an attacker to inject arbitrary HTML or JavaScript [1][2].
Exploitation
Conditions
This vulnerability is exploitable only when the code is executed outside of Drupal. The package is intended to share custom Twig extensions between Drupal and Pattern Lab, and the vulnerable function is only exposed when used in a non-Drupal context [1][2]. A proof-of-concept demonstrates that the link() function can be abused with a payload like {{ link('', 'bar', '') }} to trigger XSS [2].
Impact
An attacker who can control input passed to the vulnerable Twig function can execute arbitrary JavaScript in the context of the victim's browser. This could lead to session hijacking, defacement, or theft of sensitive information. The CVSS v3 base score 4.6 (Medium) [1].
Mitigation
Status
The original package is unmaintained. The fix is available in version 1.1.1 of the forked package drupal/unified_twig_ext hosted on Drupal.org [1][4]. Users are advised to migrate to the maintained fork to remediate the vulnerability.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal-pattern-lab/unified-twig-extensionsPackagist | <= 0.1.0 | — |
Affected products
2<= 0.1.0+ 1 more
- (no CPE)range: <= 0.1.0
- (no CPE)range: >=0.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-64mv-9655-37hxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-11570ghsaADVISORY
- github.com/drupal-pattern-lab/unified-twig-extensions/blob/862b9deccab544ca68e3aaaccc257d14acc9b1f6/example/_twig-components/functions/link.function.php%23L9nvdWEB
- security.snyk.io/vuln/SNYK-PHP-DRUPALPATTERNLABUNIFIEDTWIGEXTENSIONS-8400877nvdWEB
- www.drupal.org/project/unified_twig_extghsaWEB
- www.drupal.org/sa-contrib-2023-041nvdWEB
News mentions
0No linked articles in our index yet.