10.3.14
10.4.5
11.0.13
11.1.5
7.0.1
10.3.14
CVE-2025-31675 describes a Cross-Site Scripting (XSS) vulnerability within Drupal Core. This vulnerability allows attackers to inject malicious scripts into web pages, potentially leading to unauthorized access and data compromise. The issue impacts Drupal core versions 8.0.0 before 10.3.14, 10.4.0 before 10.4.5, 11.0.0 before 11.0.13, and 11.1.0 before 11.1.5. A fix is available in Drupal 10.3.14.
Successful exploitation of CVE-2025-31675 allows an attacker to inject arbitrary JavaScript code into web pages viewed by other users. This can lead to various malicious outcomes, including session hijacking, phishing attacks, and defacement of the website. An attacker could steal sensitive user data, such as authentication credentials or personal information, and potentially gain control of user accounts. The blast radius extends to all users who interact with affected pages, making it a significant security risk, particularly for sites with high traffic or sensitive data.
CVE-2025-31675 was publicly disclosed on April 1, 2025. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's impact is considered Medium, and it is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the presence of an XSS vulnerability warrants proactive mitigation.
Exploit Status
EPSS
0.27% (50% percentile)
CVSS Vector
The primary mitigation for CVE-2025-31675 is to upgrade Drupal Core to version 10.3.14 or later. If immediate upgrading is not feasible, consider implementing input validation and output encoding on user-supplied data to reduce the attack surface. Web Application Firewalls (WAFs) configured with appropriate rules can also help block malicious requests. Regularly review Drupal modules and themes for potential vulnerabilities and ensure they are up to date.
Update Drupal core to the latest available version. If you are using a version prior to 10.3.x, update to version 10.3.14 or higher. If you are using version 10.4.x, update to version 10.4.5 or higher. If you are using version 11.0.x, update to version 11.0.13 or higher. If you are using version 11.1.x, update to version 11.1.5 or higher. If you are using version 7.x-1.x, update to a version later than 7.x-1.12.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-31675 is a Medium severity XSS vulnerability in Drupal Core affecting versions up to 9.5.9, allowing attackers to inject malicious scripts.
You are affected if you are running Drupal Core versions 8.0.0 before 10.3.14, 10.4.0 before 10.4.5, 11.0.0 before 11.0.13, or 11.1.0 before 11.1.5.
Upgrade Drupal Core to version 10.3.14 or later. Consider input validation and output encoding as interim measures.
Active exploitation is not currently confirmed, but the vulnerability warrants proactive mitigation.
Refer to the official Drupal security advisory at [https://www.drupal.org/security/advisories/cve-2025-31675](https://www.drupal.org/security/advisories/cve-2025-31675).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.