Drupal Core Defacement Vulnerability Patched in Latest Security Release
Drupal has released patches for a moderately critical defacement vulnerability (CVE-2025-13082) affecting core versions 8.0.0 through 11.2.7.
Drupal published a security advisory on November 12, 2025, detailing a defacement vulnerability in its core software. Tracked as CVE-2025-13082, the flaw affects Drupal versions 8.0.0 through 11.2.7, with patches now available for supported branches. The vulnerability is rated moderately critical with a theoretical attack vector.
The issue allows an attacker to craft a malicious URL that, when visited by a logged-in user, temporarily defaces the site. The defacement is not stored and only appears when the crafted URL is used; no other site content is rendered. This means the attack does not persist or compromise data, but it can damage the site's appearance and user trust.
Patches have been released for Drupal 10.4.9, 10.5.6, 11.1.9, and 11.2.8. Older branches, including Drupal 8, 9, 10.3.x, and 11.0.x, are end-of-life and do not receive security coverage. Users are strongly advised to update to the latest versions to mitigate the risk.
The vulnerability was reported by Kevin Quillen and fixed by multiple members of the Drupal Security Team, including Benji Fisher, Neil Drumm, Greg Knaddison, Lee Rowlands, Drew Webber, Mingsong, Juraj Nemec, Ra Mänd, and Jess. The coordination was handled by catch, Lee Rowlands, Dave Long, and Juraj Nemec.
While the severity is moderate, the advisory underscores the importance of keeping Drupal core up to date. Site administrators should apply the patches promptly to prevent potential defacement attacks that could undermine user confidence.