XSS in Drupal Core
CVE-2025-31675
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5…
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.001 (25.1th percentile) — read the EPSS interpretation.
Affected products
- Drupal Core — versions 8.0.0, 10.4.0, 11.0.0
- Drupal Link — versions 7.x-1.0
Weakness classification (CWE)
References
- www.drupal.org/sa-core-2025-004 (vendor-advisory)
- www.herodevs.com/vulnerability-directory/cve-2025-31675 (third-party-advisory)
- d7es.tag1.com/security-advisories/link-moderately-critical-cross-site-scripting… (third-party-advisory)