CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in Drupal CivicTheme Design System allows attackers with content creation permissions to inject malicious scripts via unfiltered field data and SVG markup.
Vulnerability
Overview CVE-2025-12083 is a stored cross-site scripting (XSS) vulnerability in the Drupal CivicTheme Design System, affecting versions before 1.12.0 [1]. The root cause is improper neutralization of user-supplied input when rendering field data in Twig templates. CivicTheme components use the Twig raw filter in multiple places, which bypasses automatic escaping and allows unescaped HTML and JavaScript to be injected [2].
Exploitation
Prerequisites An attacker must have permission to create or edit content on a CivicTheme site. By default, only content authors and content approvers have these privileges [2]. The vulnerability can be triggered by inserting malicious scripts into fields that are rendered with the raw filter, or by embedding crafted SVG markup that contains executable JavaScript [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive information. The attack does not require any special network position beyond being able to submit content through the Drupal interface [1][2].
Mitigation
The vulnerability is fixed in CivicTheme version 1.12.0. Users are advised to upgrade immediately. There are no known workarounds, and the advisory notes that the issue is moderately critical [2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/civicthemePackagist | < 1.12.0 | 1.12.0 |
Affected products
2- Range: <1.12.0
- Drupal/CivicTheme Design Systemv5Range: 0.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-h72q-cq3w-h3wcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-12083ghsaADVISORY
- www.drupal.org/sa-contrib-2025-113ghsaWEB
News mentions
0No linked articles in our index yet.