CVE-2025-31675
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. It also affects the Drupal 7 module from versions 7.x-1.0 through 7.x-1.12.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in Drupal core's Link field due to insufficient sanitization allows stored XSS by attackers with edit permissions.
Vulnerability
Details
A cross-site scripting (XSS) vulnerability exists in Drupal core's Link field due to insufficient sanitization of attributes during web page generation [2][4]. The improper neutralization of input allows attackers to inject malicious scripts that are stored and executed in the context of other users' browsers [3].
Exploitation
Exploitation requires the ability to add specific attributes to a Link field, which typically necessitates edit permissions via core web services, REST APIs, or custom/contrib modules [2][4]. The vulnerability is stored, meaning the malicious payload persists and triggers when the link is rendered.
Impact
Successful exploitation can lead to session hijacking, data theft, malware distribution, defacement, or privilege escalation within the context of the affected site [2].
Mitigation
Drupal core has been patched in versions 10.3.14, 10.4.5, 11.0.13, and 11.1.5 [4]. For Drupal 7, the affected Link module versions 7.x-1.0 through 7.x-1.12 are patched in Link NES 7.1.14 [2][3]. Sites that disable the Link module or do not use link fields are not affected [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.0.0, < 10.3.14 | 10.3.14 |
drupal/corePackagist | >= 10.4.0, < 10.4.5 | 10.4.5 |
drupal/corePackagist | >= 11.0.0, < 11.0.13 | 11.0.13 |
drupal/corePackagist | >= 11.1.0, < 11.1.5 | 11.1.5 |
Affected products
5- Range: >=7.x-1.0, <=7.x-1.12
- Range: >=8.0.0, <10.3.14 || >=10.4.0, <10.4.5 || >=11.0.0, <11.0.13 || >=11.1.0, <11.1.5
- osv-coords2 versions
>= 8.0.0, < 10.4.5+ 1 more
- (no CPE)range: >= 8.0.0, < 10.4.5
- (no CPE)range: >= 8.0.0, < 10.3.14
Patches
42c5ca7aca62818ab15707b4d59b775ad8bc0f286521ced6bVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-m4wj-hhwj-47qpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-31675ghsaADVISORY
- www.drupal.org/sa-core-2025-004nvdVendor AdvisoryWEB
- d7es.tag1.com/security-advisories/link-moderately-critical-cross-site-scripting-sa-core-2025-004nvdWEB
- www.herodevs.com/vulnerability-directory/cve-2025-31675nvdWEB
News mentions
1- Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004Drupal Security Advisories · Mar 19, 2025