Drupal core - Critical - Cross site scripting - SA-CORE-2025-001
Project: Drupal core Date: 2025-February-19 Security risk: Critical 17 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:All Vulnerability: Cross site scripting Affected versions: >= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3 CVE IDs: CVE-2025-3057 Description: Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability (XSS). Sites are encouraged to update. There are not yet public documented steps to exploit this, but there may be soon given the nature of this issue. This issue is being protected by Drupal Steward . Sites that use Drupal Steward are already protected, but are still encouraged to upgrade in the near future. Solution: Install the latest version: If you use Drupal 10.3.x, update to Drupal 10.3.13 If you use Drupal 10.4.x, update to Drupal 10.4.3 If you use Drupal 11.0.x, update to Drupal 11.0.12 If you use Drupal 11.1.x, update to Drupal 11.1.3 All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: Arne (arkepp) bdanin Douglas Groene (dgroene) Dragos Dumitrescu (dragos-dumi) Flo Kosiol (flokosiol) Gerardo Cadau (juanramonperez) Justin Christoffersen (larsdesigns) nuwans Sven Decabooter (svendecabooter) Will Gunn (wgunn_e) Fixed By: catch (catch) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team
CSIRTS triage
- What
- Insufficient filtering of error messages leads to a reflected Cross Site Scripting vulnerability.
- Who is affected
- Drupal installations using affected versions.
- Urgency
- Remediation is critical as it poses a risk of XSS attacks.
- Action
- Update to the latest version of Drupal.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Drupal core
Get an email when a new Drupal core advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://www.drupal.org/sa-core-2025-001
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2025-30570.29% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 21% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2025-3057 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for Drupal core -
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- unknownCVE-2026-55808: Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerabi…nvd · 2026-07-10
- unknownCVE-2026-55807: Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal core allows Server Side Requ…nvd · 2026-07-10
- unknownCVE-2026-55806: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Drupal Drupal core allows…nvd · 2026-07-10
- unknownCVE-2026-55804: Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability i…nvd · 2026-07-10
- unknownCVE-2026-55803: Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability i…nvd · 2026-07-10
- unknownCVE-2026-10769: Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerabi…nvd · 2026-07-10
More from Drupal Security Advisories
- criticalDrupal core - Moderately critical - Improper validation - SA-CORE-2026-0092026-06-17
- criticalDrupal core - Moderately critical - Server-side request forgery - SA-CORE-2026-0082026-06-17
- criticalDrupal core - Less critical - Cache poisoning and open redirect - SA-CORE-2026-0072026-06-17
- criticalDrupal core - Moderately critical - Gadget chain - SA-CORE-2026-0062026-06-17
- criticalDrupal core - Critical - PHP object injection - SA-CORE-2026-0052026-06-17