Medium severity5.4NVD Advisory· Published Mar 31, 2025· Updated Apr 2, 2026
CVE-2025-31675
CVE-2025-31675
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. It also affects the Drupal 7 module from versions 7.x-1.0 through 7.x-1.12.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.0.0, < 10.3.14 | 10.3.14 |
drupal/corePackagist | >= 10.4.0, < 10.4.5 | 10.4.5 |
drupal/corePackagist | >= 11.0.0, < 11.0.13 | 11.0.13 |
drupal/corePackagist | >= 11.1.0, < 11.1.5 | 11.1.5 |
Affected products
3- osv-coords2 versions
>= 8.0.0, < 10.4.5+ 1 more
- (no CPE)range: >= 8.0.0, < 10.4.5
- (no CPE)range: >= 8.0.0, < 10.3.14
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-m4wj-hhwj-47qpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-31675ghsaADVISORY
- www.drupal.org/sa-core-2025-004nvdVendor AdvisoryWEB
- d7es.tag1.com/security-advisories/link-moderately-critical-cross-site-scripting-sa-core-2025-004nvdWEB
- www.herodevs.com/vulnerability-directory/cve-2025-31675nvdWEB
News mentions
1- Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004Drupal Security Advisories · Mar 19, 2025