Vulnerability-Lookup

WID-SEC-W-2025-2733

Vulnerability from csaf_certbund - Published: 2025-12-03 23:00 - Updated: 2026-01-28 23:00

Summary

Drupal-Module: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Drupal ist ein freies Content-Management-System, basierend auf der Scriptsprache PHP und einer SQL-Datenbank. Über zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.

Angriff

Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Drupal ausnutzen, um Cross-Site-Scripting-Angriffe zu starten, Sicherheitsmaßnahmen zu umgehen und vertrauliche Informationen offenzulegen.

Betroffene Betriebssysteme

- Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Drupal ist ein freies Content-Management-System, basierend auf der Scriptsprache PHP und einer SQL-Datenbank. \u00dcber zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Drupal ausnutzen, um Cross-Site-Scripting-Angriffe zu starten, Sicherheitsma\u00dfnahmen zu umgehen und vertrauliche Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-2733 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2733.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-2733 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2733"
      },
      {
        "category": "external",
        "summary": "Drupal Security Advisory vom 2025-12-03",
        "url": "https://www.drupal.org/sa-contrib-2025-117"
      },
      {
        "category": "external",
        "summary": "Drupal Security Advisory vom 2025-12-03",
        "url": "https://www.drupal.org/sa-contrib-2025-118"
      },
      {
        "category": "external",
        "summary": "Drupal Security Advisory vom 2025-12-03",
        "url": "https://www.drupal.org/sa-contrib-2025-119"
      },
      {
        "category": "external",
        "summary": "Drupal Security Advisory vom 2025-12-03",
        "url": "https://www.drupal.org/sa-contrib-2025-120"
      },
      {
        "category": "external",
        "summary": "Drupal Security Advisory vom 2025-12-03",
        "url": "https://www.drupal.org/sa-contrib-2025-121"
      },
      {
        "category": "external",
        "summary": "Drupal Security Advisory vom 2025-12-03",
        "url": "https://www.drupal.org/sa-contrib-2025-122"
      },
      {
        "category": "external",
        "summary": "Drupal Security Advisory vom 2025-12-03",
        "url": "https://www.drupal.org/sa-contrib-2025-123"
      },
      {
        "category": "external",
        "summary": "Drupal Security Advisory vom 2025-12-03",
        "url": "https://www.drupal.org/sa-contrib-2025-124"
      }
    ],
    "source_lang": "en-US",
    "title": "Drupal-Module: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-01-28T23:00:00.000+00:00",
      "generator": {
        "date": "2026-01-29T08:27:37.862+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2025-2733",
      "initial_release_date": "2025-12-03T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-12-03T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-01-28T23:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: EUVD-2025-206436, EUVD-2025-206437, EUVD-2025-206438, EUVD-2025-206439, EUVD-2025-206440, EUVD-2025-206441, EUVD-2025-206442, EUVD-2025-206435"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Disable Login Page \u003c1.1.3",
                "product": {
                  "name": "Open Source Drupal Disable Login Page \u003c1.1.3",
                  "product_id": "T049055"
                }
              },
              {
                "category": "product_version",
                "name": "Disable Login Page 1.1.3",
                "product": {
                  "name": "Open Source Drupal Disable Login Page 1.1.3",
                  "product_id": "T049055-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:disable_login_page__1.1.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Mini Site \u003c3.0.2",
                "product": {
                  "name": "Open Source Drupal Mini Site \u003c3.0.2",
                  "product_id": "T049056"
                }
              },
              {
                "category": "product_version",
                "name": "Mini Site 3.0.2",
                "product": {
                  "name": "Open Source Drupal Mini Site 3.0.2",
                  "product_id": "T049056-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:mini_site__3.0.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "CKEditor 5 Premium Features \u003c1.2.10",
                "product": {
                  "name": "Open Source Drupal CKEditor 5 Premium Features \u003c1.2.10",
                  "product_id": "T049057"
                }
              },
              {
                "category": "product_version",
                "name": "CKEditor 5 Premium Features 1.2.10",
                "product": {
                  "name": "Open Source Drupal CKEditor 5 Premium Features 1.2.10",
                  "product_id": "T049057-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:ckeditor_5_premium_features__1.2.10"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "CKEditor 5 Premium Features \u003c1.3.6",
                "product": {
                  "name": "Open Source Drupal CKEditor 5 Premium Features \u003c1.3.6",
                  "product_id": "T049058"
                }
              },
              {
                "category": "product_version",
                "name": "CKEditor 5 Premium Features 1.3.6",
                "product": {
                  "name": "Open Source Drupal CKEditor 5 Premium Features 1.3.6",
                  "product_id": "T049058-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:ckeditor_5_premium_features__1.3.6"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "CKEditor 5 Premium Features \u003c1.4.3",
                "product": {
                  "name": "Open Source Drupal CKEditor 5 Premium Features \u003c1.4.3",
                  "product_id": "T049059"
                }
              },
              {
                "category": "product_version",
                "name": "CKEditor 5 Premium Features 1.4.3",
                "product": {
                  "name": "Open Source Drupal CKEditor 5 Premium Features 1.4.3",
                  "product_id": "T049059-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:ckeditor_5_premium_features__1.4.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "CKEditor 5 Premium Features \u003c1.5.1",
                "product": {
                  "name": "Open Source Drupal CKEditor 5 Premium Features \u003c1.5.1",
                  "product_id": "T049060"
                }
              },
              {
                "category": "product_version",
                "name": "CKEditor 5 Premium Features 1.5.1",
                "product": {
                  "name": "Open Source Drupal CKEditor 5 Premium Features 1.5.1",
                  "product_id": "T049060-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:ckeditor_5_premium_features__1.5.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "CKEditor 5 Premium Features \u003c1.6.4",
                "product": {
                  "name": "Open Source Drupal CKEditor 5 Premium Features \u003c1.6.4",
                  "product_id": "T049061"
                }
              },
              {
                "category": "product_version",
                "name": "CKEditor 5 Premium Features 1.6.4",
                "product": {
                  "name": "Open Source Drupal CKEditor 5 Premium Features 1.6.4",
                  "product_id": "T049061-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:ckeditor_5_premium_features__1.6.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "AI \u003c1.0.7",
                "product": {
                  "name": "Open Source Drupal AI \u003c1.0.7",
                  "product_id": "T049062"
                }
              },
              {
                "category": "product_version",
                "name": "AI 1.0.7",
                "product": {
                  "name": "Open Source Drupal AI 1.0.7",
                  "product_id": "T049062-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:ai__1.0.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "AI \u003c1.1.7",
                "product": {
                  "name": "Open Source Drupal AI \u003c1.1.7",
                  "product_id": "T049063"
                }
              },
              {
                "category": "product_version",
                "name": "AI 1.1.7",
                "product": {
                  "name": "Open Source Drupal AI 1.1.7",
                  "product_id": "T049063-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:ai__1.1.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "AI \u003c1.2.4",
                "product": {
                  "name": "Open Source Drupal AI \u003c1.2.4",
                  "product_id": "T049064"
                }
              },
              {
                "category": "product_version",
                "name": "AI 1.2.4",
                "product": {
                  "name": "Open Source Drupal AI 1.2.4",
                  "product_id": "T049064-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:ai__1.2.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Login Time Restriction \u003c1.0.3",
                "product": {
                  "name": "Open Source Drupal Login Time Restriction \u003c1.0.3",
                  "product_id": "T049065"
                }
              },
              {
                "category": "product_version",
                "name": "Login Time Restriction 1.0.3",
                "product": {
                  "name": "Open Source Drupal Login Time Restriction 1.0.3",
                  "product_id": "T049065-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:login_time_restriction__1.0.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Tagify \u003c1.2.44",
                "product": {
                  "name": "Open Source Drupal Tagify \u003c1.2.44",
                  "product_id": "T049066"
                }
              },
              {
                "category": "product_version",
                "name": "Tagify 1.2.44",
                "product": {
                  "name": "Open Source Drupal Tagify 1.2.44",
                  "product_id": "T049066-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:tagify__1.2.44"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Entity Share \u003c3.13.0",
                "product": {
                  "name": "Open Source Drupal Entity Share \u003c3.13.0",
                  "product_id": "T049067"
                }
              },
              {
                "category": "product_version",
                "name": "Entity Share 3.13.0",
                "product": {
                  "name": "Open Source Drupal Entity Share 3.13.0",
                  "product_id": "T049067-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:entity_share__3.13.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Next.js \u003c1.6.4",
                "product": {
                  "name": "Open Source Drupal Next.js \u003c1.6.4",
                  "product_id": "T049074"
                }
              },
              {
                "category": "product_version",
                "name": "Next.js 1.6.4",
                "product": {
                  "name": "Open Source Drupal Next.js 1.6.4",
                  "product_id": "T049074-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:next.js__1.6.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Next.js \u003c2.0.1",
                "product": {
                  "name": "Open Source Drupal Next.js \u003c2.0.1",
                  "product_id": "T049075"
                }
              },
              {
                "category": "product_version",
                "name": "Next.js 2.0.1",
                "product": {
                  "name": "Open Source Drupal Next.js 2.0.1",
                  "product_id": "T049075-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:next.js__2.0.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Drupal"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-13979",
      "product_status": {
        "known_affected": [
          "T049056"
        ]
      },
      "release_date": "2025-12-03T23:00:00.000+00:00",
      "title": "CVE-2025-13979"
    },
    {
      "cve": "CVE-2025-13980",
      "product_status": {
        "known_affected": [
          "T049061",
          "T049060",
          "T049059",
          "T049058",
          "T049057"
        ]
      },
      "release_date": "2025-12-03T23:00:00.000+00:00",
      "title": "CVE-2025-13980"
    },
    {
      "cve": "CVE-2025-13981",
      "product_status": {
        "known_affected": [
          "T049062",
          "T049064",
          "T049063"
        ]
      },
      "release_date": "2025-12-03T23:00:00.000+00:00",
      "title": "CVE-2025-13981"
    },
    {
      "cve": "CVE-2025-13982",
      "product_status": {
        "known_affected": [
          "T049065"
        ]
      },
      "release_date": "2025-12-03T23:00:00.000+00:00",
      "title": "CVE-2025-13982"
    },
    {
      "cve": "CVE-2025-13983",
      "product_status": {
        "known_affected": [
          "T049066"
        ]
      },
      "release_date": "2025-12-03T23:00:00.000+00:00",
      "title": "CVE-2025-13983"
    },
    {
      "cve": "CVE-2025-13984",
      "product_status": {
        "known_affected": [
          "T049074"
        ]
      },
      "release_date": "2025-12-03T23:00:00.000+00:00",
      "title": "CVE-2025-13984"
    },
    {
      "cve": "CVE-2025-13985",
      "product_status": {
        "known_affected": [
          "T049067"
        ]
      },
      "release_date": "2025-12-03T23:00:00.000+00:00",
      "title": "CVE-2025-13985"
    },
    {
      "cve": "CVE-2025-13986",
      "product_status": {
        "known_affected": [
          "T049055"
        ]
      },
      "release_date": "2025-12-03T23:00:00.000+00:00",
      "title": "CVE-2025-13986"
    }
  ]
}

CVE-2025-13985 (GCVE-0-2025-13985)

Vulnerability from cvelistv5 – Published: 2026-01-28 20:02 – Updated: 2026-01-29 17:53

Title

Entity Share - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-123

Summary

Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-863 - Incorrect Authorization

Assigner

drupal

References

URL

Tags

https://www.drupal.org/sa-contrib-2025-123

Impacted products

	Vendor	Product	Version
	Drupal	Entity Share	Affected: 0.0.0 , < 3.13.0 (semver)

Credits

JÃ¼rgen Haas (jurgenhaas) Florent Torregrosa (grimreaper) Joachim Noreiko (joachim) Bram Driesen (bramdriesen) cilefen (cilefen) Greg Knaddison (greggles) Drew Webber (mcdruid) Juraj Nemec (poker10) Jess (xjm)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-13985",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T17:53:33.475809Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T17:53:36.778Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/entity_share",
          "defaultStatus": "unaffected",
          "product": "Entity Share",
          "repo": "https://git.drupalcode.org/project/entity_share",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "3.13.0",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "J\u00c3\u00bcrgen Haas (jurgenhaas)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Florent Torregrosa (grimreaper)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Joachim Noreiko (joachim)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Bram Driesen (bramdriesen)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "cilefen  (cilefen)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison (greggles)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Drew Webber (mcdruid)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Juraj Nemec (poker10)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jess  (xjm)"
        }
      ],
      "datePublic": "2025-12-03T18:49:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.\u003cp\u003eThis issue affects Entity Share: from 0.0.0 before 3.13.0.\u003c/p\u003e"
            }
          ],
          "value": "Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-87",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-87 Forceful Browsing"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863 Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T20:02:40.252Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-contrib-2025-123"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Entity Share - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-123",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2025-13985",
    "datePublished": "2026-01-28T20:02:40.252Z",
    "dateReserved": "2025-12-03T17:04:26.862Z",
    "dateUpdated": "2026-01-29T17:53:36.778Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13983 (GCVE-0-2025-13983)

Vulnerability from cvelistv5 – Published: 2026-01-28 20:02 – Updated: 2026-01-29 17:52

Title

Tagify - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-121

Summary

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")

Assigner

drupal

References

URL

Tags

https://www.drupal.org/sa-contrib-2025-121

Impacted products

	Vendor	Product	Version
	Drupal	Tagify	Affected: 0.0.0 , < 1.2.44 (semver)

Credits

Drew Webber (mcdruid) Bram Driesen (bramdriesen) David Galeano (gxleano) Lee Rowlands (larowlan) Drew Webber (mcdruid) Bram Driesen (bramdriesen) Greg Knaddison (greggles) Drew Webber (mcdruid) Jess (xjm)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-13983",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T17:52:20.904164Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T17:52:24.726Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/tagify",
          "defaultStatus": "unaffected",
          "product": "Tagify",
          "repo": "https://git.drupalcode.org/project/tagify",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "1.2.44",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Drew Webber (mcdruid)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Bram Driesen (bramdriesen)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "David Galeano (gxleano)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Lee Rowlands (larowlan)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Drew Webber (mcdruid)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Bram Driesen (bramdriesen)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison (greggles)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Drew Webber (mcdruid)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jess  (xjm)"
        }
      ],
      "datePublic": "2025-12-03T18:48:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Tagify: from 0.0.0 before 1.2.44.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T20:02:09.110Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-contrib-2025-121"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Tagify - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-121",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2025-13983",
    "datePublished": "2026-01-28T20:02:09.110Z",
    "dateReserved": "2025-12-03T17:04:24.229Z",
    "dateUpdated": "2026-01-29T17:52:24.726Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13984 (GCVE-0-2025-13984)

Vulnerability from cvelistv5 – Published: 2026-01-28 20:02 – Updated: 2026-01-29 18:24

Title

Next.js - Critical - Access bypass - SA-CONTRIB-2025-122

Summary

Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-942 - Permissive Cross-domain Security Policy with Untrusted Domains

Assigner

drupal

References

URL

Tags

https://www.drupal.org/sa-contrib-2025-122

Impacted products

	Vendor	Product	Version
	Drupal	Next.js	Affected: 0.0.0 , < 1.6.4 (semver) Affected: 2.0.0 , < 2.0.1 (semver)

Credits

Mike Decker (pookmish) Brian Perry (brianperry) Rob Decker (rrrob) Bram Driesen (bramdriesen) Greg Knaddison (greggles) Jess (xjm)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-13984",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T18:24:01.824775Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T18:24:28.956Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/next",
          "defaultStatus": "unaffected",
          "product": "Next.js",
          "repo": "https://git.drupalcode.org/project/next",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "1.6.4",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.0.1",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Mike Decker (pookmish)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Brian Perry (brianperry)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Rob Decker (rrrob)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Bram Driesen (bramdriesen)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison (greggles)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jess  (xjm)"
        }
      ],
      "datePublic": "2025-12-03T18:49:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1.\u003c/p\u003e"
            }
          ],
          "value": "Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-942",
              "description": "CWE-942 Permissive Cross-domain Security Policy with Untrusted Domains",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T20:02:22.486Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-contrib-2025-122"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Next.js - Critical - Access bypass - SA-CONTRIB-2025-122",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2025-13984",
    "datePublished": "2026-01-28T20:02:22.486Z",
    "dateReserved": "2025-12-03T17:04:25.507Z",
    "dateUpdated": "2026-01-29T18:24:28.956Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13979 (GCVE-0-2025-13979)

Vulnerability from cvelistv5 – Published: 2026-01-28 20:00 – Updated: 2026-01-29 17:10

Title

Mini site - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-117

Summary

Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.This issue affects Mini site: from 0.0.0 before 3.0.2.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-267 - Privilege Defined With Unsafe Actions

Assigner

drupal

References

URL

Tags

https://www.drupal.org/sa-contrib-2025-117

Impacted products

	Vendor	Product	Version
	Drupal	Mini site	Affected: 0.0.0 , < 3.0.2 (semver)

Credits

Pierre Rudloff (prudloff) cb_govcms Greg Knaddison (greggles) Juraj Nemec (poker10) Pierre Rudloff (prudloff) Jess (xjm)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-13979",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T17:10:00.857726Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T17:10:16.561Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/minisite",
          "defaultStatus": "unaffected",
          "product": "Mini site",
          "repo": "https://git.drupalcode.org/project/minisite",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "3.0.2",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Pierre Rudloff (prudloff)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "cb_govcms"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison (greggles)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Juraj Nemec (poker10)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Pierre Rudloff (prudloff)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jess  (xjm)"
        }
      ],
      "datePublic": "2025-12-03T18:47:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.\u003cp\u003eThis issue affects Mini site: from 0.0.0 before 3.0.2.\u003c/p\u003e"
            }
          ],
          "value": "Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.This issue affects Mini site: from 0.0.0 before 3.0.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-592",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-592 Stored XSS"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-267",
              "description": "CWE-267 Privilege Defined With Unsafe Actions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T20:00:38.256Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-contrib-2025-117"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Mini site - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-117",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2025-13979",
    "datePublished": "2026-01-28T20:00:38.256Z",
    "dateReserved": "2025-12-03T17:04:18.274Z",
    "dateUpdated": "2026-01-29T17:10:16.561Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13982 (GCVE-0-2025-13982)

Vulnerability from cvelistv5 – Published: 2026-01-28 20:01 – Updated: 2026-01-29 18:26

Title

Summary

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Login Time Restriction allows Cross Site Request Forgery.This issue affects Login Time Restriction: from 0.0.0 before 1.0.3.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Assigner

drupal

References

URL

Tags

https://www.drupal.org/sa-contrib-2025-120

Impacted products

	Vendor	Product	Version
	Drupal	Login Time Restriction	Affected: 0.0.0 , < 1.0.3 (semver)

Credits

Pierre Rudloff (prudloff) Kunal Singh (kunal_singh) Greg Knaddison (greggles) Juraj Nemec (poker10) Pierre Rudloff (prudloff) Jess (xjm)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-13982",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T18:25:35.739246Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T18:26:19.573Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/login_time_restriction",
          "defaultStatus": "unaffected",
          "product": "Login Time Restriction",
          "repo": "https://git.drupalcode.org/project/login_time_restriction",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "1.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Pierre Rudloff (prudloff)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Kunal Singh (kunal_singh)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison (greggles)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Juraj Nemec (poker10)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Pierre Rudloff (prudloff)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jess  (xjm)"
        }
      ],
      "datePublic": "2025-12-03T18:48:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Login Time Restriction allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Login Time Restriction: from 0.0.0 before 1.0.3.\u003c/p\u003e"
            }
          ],
          "value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Login Time Restriction allows Cross Site Request Forgery.This issue affects Login Time Restriction: from 0.0.0 before 1.0.3."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-62",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-62 Cross Site Request Forgery"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T20:01:52.670Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-contrib-2025-120"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Login Time Restriction - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-120",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2025-13982",
    "datePublished": "2026-01-28T20:01:52.670Z",
    "dateReserved": "2025-12-03T17:04:22.525Z",
    "dateUpdated": "2026-01-29T18:26:19.573Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13980 (GCVE-0-2025-13980)

Vulnerability from cvelistv5 – Published: 2026-01-28 20:01 – Updated: 2026-01-29 17:11

Title

CKEditor 5 Premium Features - Moderately critical - Access bypass - SA-CONTRIB-2025-118

Summary

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-288 - Authentication Bypass Using an Alternate Path or Channel

Assigner

drupal

References

URL

Tags

https://www.drupal.org/sa-contrib-2025-118

Impacted products

	Vendor	Product	Version
	Drupal	CKEditor 5 Premium Features	Affected: 0.0.0 , < 1.2.10 (semver) Affected: 1.3.0 , < 1.3.6 (semver) Affected: 1.4.0 , < 1.4.3 (semver) Affected: 1.5.0 , < 1.5.1 (semver) Affected: 1.6.0 , < 1.6.4 (semver)

Credits

Wojciech Kukowski (salmonek) Wojciech Kukowski (salmonek) Greg Knaddison (greggles) Juraj Nemec (poker10) Jess (xjm)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-13980",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T17:11:20.684032Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T17:11:46.810Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/ckeditor5_premium_features",
          "defaultStatus": "unaffected",
          "product": "CKEditor 5 Premium Features",
          "repo": "https://git.drupalcode.org/project/ckeditor5_premium_features",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "1.2.10",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.3.6",
              "status": "affected",
              "version": "1.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.4.3",
              "status": "affected",
              "version": "1.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.5.1",
              "status": "affected",
              "version": "1.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.6.4",
              "status": "affected",
              "version": "1.6.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Wojciech Kukowski (salmonek)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Wojciech Kukowski (salmonek)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison (greggles)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Juraj Nemec (poker10)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jess  (xjm)"
        }
      ],
      "datePublic": "2025-12-03T18:48:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.\u003cp\u003eThis issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4.\u003c/p\u003e"
            }
          ],
          "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-554",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-554 Functionality Bypass"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-288",
              "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T20:01:16.894Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-contrib-2025-118"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "CKEditor 5 Premium Features - Moderately critical - Access bypass - SA-CONTRIB-2025-118",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2025-13980",
    "datePublished": "2026-01-28T20:01:16.894Z",
    "dateReserved": "2025-12-03T17:04:19.606Z",
    "dateUpdated": "2026-01-29T17:11:46.810Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13981 (GCVE-0-2025-13981)

Vulnerability from cvelistv5 – Published: 2026-01-28 20:01 – Updated: 2026-01-29 17:12

Title

AI (Artificial Intelligence) - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-119

Summary

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4.

Severity ?

4.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")

Assigner

drupal

References

URL

Tags

https://www.drupal.org/sa-contrib-2025-119

Impacted products

	Vendor	Product	Version
	Drupal	AI (Artificial Intelligence)	Affected: 0.0.0 , < 1.0.7 (semver) Affected: 1.1.0 , < 1.1.7 (semver) Affected: 1.2.0 , < 1.2.4 (semver)

Credits

Drew Webber (mcdruid) Marcus Johansson (marcus_johansson) Bram Driesen (bramdriesen) Greg Knaddison (greggles) Drew Webber (mcdruid) Juraj Nemec (poker10) Jess (xjm)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-13981",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T17:12:42.119742Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T17:12:45.481Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/ai",
          "defaultStatus": "unaffected",
          "product": "AI (Artificial Intelligence)",
          "repo": "https://git.drupalcode.org/project/ai",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "1.0.7",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.1.7",
              "status": "affected",
              "version": "1.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.2.4",
              "status": "affected",
              "version": "1.2.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Drew Webber (mcdruid)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Marcus Johansson (marcus_johansson)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Bram Driesen (bramdriesen)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison (greggles)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Drew Webber (mcdruid)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Juraj Nemec (poker10)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jess  (xjm)"
        }
      ],
      "datePublic": "2025-12-03T18:48:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T20:01:32.915Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-contrib-2025-119"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "AI (Artificial Intelligence) - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-119",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2025-13981",
    "datePublished": "2026-01-28T20:01:32.915Z",
    "dateReserved": "2025-12-03T17:04:21.182Z",
    "dateUpdated": "2026-01-29T17:12:45.481Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13986 (GCVE-0-2025-13986)

Vulnerability from cvelistv5 – Published: 2026-01-28 20:02 – Updated: 2026-01-29 18:23

Title

Disable Login Page - Critical - Access bypass - SA-CONTRIB-2025-124

Summary

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-288 - Authentication Bypass Using an Alternate Path or Channel

Assigner

drupal

References

URL

Tags

https://www.drupal.org/sa-contrib-2025-124

Impacted products

	Vendor	Product	Version
	Drupal	Disable Login Page	Affected: 0.0.0 , < 1.1.3 (semver)

Credits

Pierre Rudloff (prudloff) Anoop John (anoopjohn) Jijo Joseph (jijojoseph_zyxware) Pierre Rudloff (prudloff) cilefen (cilefen) Greg Knaddison (greggles) Drew Webber (mcdruid) Juraj Nemec (poker10) Jess (xjm)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-13986",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T18:23:37.066417Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T18:23:43.693Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/disable_login",
          "defaultStatus": "unaffected",
          "product": "Disable Login Page",
          "repo": "https://git.drupalcode.org/project/disable_login",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "1.1.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Pierre Rudloff (prudloff)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Anoop John (anoopjohn)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jijo Joseph (jijojoseph_zyxware)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Pierre Rudloff (prudloff)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "cilefen  (cilefen)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison (greggles)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Drew Webber (mcdruid)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Juraj Nemec (poker10)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jess  (xjm)"
        }
      ],
      "datePublic": "2025-12-03T18:49:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.\u003cp\u003eThis issue affects Disable Login Page: from 0.0.0 before 1.1.3.\u003c/p\u003e"
            }
          ],
          "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-554",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-554 Functionality Bypass"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-288",
              "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T20:02:53.919Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-contrib-2025-124"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Disable Login Page - Critical - Access bypass - SA-CONTRIB-2025-124",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2025-13986",
    "datePublished": "2026-01-28T20:02:53.919Z",
    "dateReserved": "2025-12-03T17:04:28.074Z",
    "dateUpdated": "2026-01-29T18:23:43.693Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2025-2733

CVE-2025-13985 (GCVE-0-2025-13985)

CVE-2025-13983 (GCVE-0-2025-13983)

CVE-2025-13984 (GCVE-0-2025-13984)

CVE-2025-13979 (GCVE-0-2025-13979)

CVE-2025-13982 (GCVE-0-2025-13982)

CVE-2025-13980 (GCVE-0-2025-13980)

CVE-2025-13981 (GCVE-0-2025-13981)

CVE-2025-13986 (GCVE-0-2025-13986)

Tags

Sightings

Nomenclature