What is CVE-2022-25277?

CVE-2022-25277 is a vulnerability in Drupal Core. Published 2023-04-26.

Is CVE-2022-25277 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Drupal Core

CVE-2022-25277

Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However…

EPSS: 0.024 (85.5th percentile) — read the EPSS interpretation.

Affected products

Drupal Core — versions 9.4, 9.3

Public proof-of-concept exploits

ARPSyndicate/cve-scores
jsanchez949/CavernSafeVuln

References

www.drupal.org/sa-core-2022-014

Frequently asked questions

What is CVE-2022-25277?: CVE-2022-25277 is a vulnerability in Drupal Core. Published 2023-04-26.
Is CVE-2022-25277 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.