Drupal Security

Project: Drupal coreDate: 2025-November-12Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Denial of ServiceAffected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8CVE IDs: CVE-2025-13080Description: 

Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden.

This functionality can be abused in a way that may cause Drupal to cache response data that it should not. This can lead to legitimate requests receiving inappropriate cached responses (cache poisoning).

This could be exploited in various ways:

• Broken rendering of some pages
• Unstyled or malformatted pages
• Adverse impacts on client-side functionality

Changes are being made in the underlying library which will mitigate this problem, but in the meantime Drupal core has been hardened to protect against this vulnerability. The authors of the underlying library do not believe it is a source of vulnerabilities in other systems. Drupal's use of library leads to an implementation-specific vulnerability, so we've issued this advisory and reserved a CVE ID for the vulnerability in Drupal.

Solution: 

Install the latest version:

• If you are using Drupal 10.4, update to Drupal 10.4.9.
• If you are using Drupal 10.5, update to Drupal 10.5.6.
• If you are using Drupal 11.1, update to Drupal 11.1.9.
• If you are using Drupal 11.2, update to Drupal 11.2.8.

Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• Dragos Dumitrescu (dragos-dumi)
• yasser ALLAM (inzo_)
• Nils Destoop (nils.destoop)
• Sven Decabooter (svendecabooter)
• zhero

Fixed By: 

• Alex Pott (alexpott) of the Drupal Security Team
• catch (catch) of the Drupal Security Team
• cilefen (cilefen) of the Drupal Security Team
• Jen Lampton (jenlampton), provisional member of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Nils Destoop (nils.destoop)
• Juraj Nemec (poker10) of the Drupal Security Team
• Ra Mänd (ram4nd), provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Coordinated By: 

• catch (catch) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Simple multi step formDate: 2025-November-05Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <2.0.0CVE IDs: CVE-2025-12761Description: 

This module provides the ability to convert any entity form into a simple multi-step form.

The module doesn’t sufficiently filter certain user-provided text leading to a cross-site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer node form display”.

Solution: 

Install the latest version:

• If you use the Simple multi step form module for Drupal, upgrade to a release from the 2.x branch, as the 8.x-1.x branch is now unsupported

Reported By: 

• Ide Braakman (idebr)

Fixed By: 

• Diosbel Mezquía (dmezquia)
• Ide Braakman (idebr)
• Vitaliy Bogomazyuk (vitaliyb98)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Email TFADate: 2025-November-05Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.0.6CVE IDs: CVE-2025-12760Description: 

The Email TFA module provides additional email-based two-factor authentication for Drupal logins.

In certain scenarios, the module does not fully protect all login mechanisms as expected.

This issue is mitigated by the fact that an attacker must already have valid user credentials (username and password) to take advantage of the weakness.

Solution: 

Install the latest version:

• If you use the Email TFA module for Drupal, upgrade to Email TFA 2.0.6

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• abdulaziz zaid

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff)

Date: 2025-November-03Description: 

The upcoming Drupal core security release window has been rescheduled from November 19, 2025 to November 12, 2025. As normal, the window will occur between 1600 UTC and 2200 UTC.

Schedule change for back-to-back DrupalCons

This schedule change is due to DrupalCons Vienna and Nara overlapping the October and November core security windows. We do not schedule core security windows during DrupalCons so that site owners and agencies can attend these conferences without having to worry about their sites or clients.

December is also not typically used for core security releases due to the quick sequencing of the Drupal core minor releases and the end-of-year holidays. This would mean a period of four months where we could not provide any regularly scheduled security update.

No special release procedures

The schedule change is not due to any highly critical issue that would require special release procedures.

As a reminder, a Drupal core security window does not necessarily mean a Drupal security release will occur, only that one is possible.

Coordinated By: 

• catch (catch) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Neil Drumm (drumm) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: Simple OAuth (OAuth2) & OpenID ConnectDate: 2025-October-29Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >=6.0.0 <6.0.7CVE IDs: CVE-2025-12466Description: 

This module introduces an OAuth 2.0 authorization server, which can be configured to protect your Drupal instance with access tokens, or allow clients to request new access tokens and refresh them.

The module doesn't sufficiently respect granted scopes, it affects all access checks that are based on roles. For example: routes that have the _role requirement, can be bypassed with an access token.

This vulnerability is mitigated by the fact that an attacker must have the access token in possession and the user related to the token must have the associated (role requirement) roles assigned.

Update: the Affected versions field was updated to reflect that this vulnerability was present in the 6.0.0 release and fixed in 6.0.7. Earlier versions of this advisory incorrectly stated that other versions were affected.

Solution: 

Install the latest version:

• If you use the "Simple OAuth (OAuth2) & OpenID Connect" module for Drupal, upgrade to Simple OAuth (OAuth2) & OpenID Connect 6.0.7

Reported By: 

• coffeemakr

Fixed By: 

• Bojan Bogdanovic (bojan_dev)
• coffeemakr
• Juraj Nemec (poker10) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: CivicTheme Design SystemDate: 2025-October-22Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <1.12.0CVE IDs: CVE-2025-12083Description: 

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components.

CivicTheme does not sufficiently filter field data before rendering them in Twig templates. This combined with multiple instances of the Twig raw filter throughout CivicTheme components, allows for the injection of malicious scripts in browser contexts.

Additionally, CivicTheme fails to filter markup from SVGs embedded within the web page allowing potentially malicious scripts to be injected.

This vulnerability is mitigated by an attacker needing permission to create or edit content within a CivicTheme site.

CivicTheme with its default permissions restricts the creation of content to content author and content approver roles.

Solution: 

Install the latest version:

• If you use the CivicTheme theme, upgrade to CivicTheme 1.12.

Reported By: 

• Adam Bramley (acbramley)
• Lee Rowlands (larowlan) of the Drupal Security Team

Fixed By: 

• Alan Cole (alan.cole)
• Daniel (danielgry)
• Fiona Morrison (fionamorrison23)
• Suchi Garg (gargsuchi)
• Lee Rowlands (larowlan) of the Drupal Security Team
• Richard Gaunt (richardgaunt)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: CivicTheme Design SystemDate: 2025-October-22Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information disclosureAffected versions: <1.12.0CVE IDs: CVE-2025-12082Description: 

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components.

The theme doesn't sufficiently check access to entities when they are displayed as reference cards used in manual lists, which leads to an information disclosure vulnerability

Specifically, when unpublished or archived nodes (CivicTheme Page and Event) are referenced via card components and placed into manually curated lists or blocks, a referenced card is rendered on the page for users who do not have permission to view unpublished content. The referenced node itself is correctly checked for permission, but the information in the card component (title, thumbnail, tags) discloses information that the user does not have access to view.

This results in:

• Draft or never-published Event node data being visible to anonymous users on cards.
• Archived content persisting in curated content lists.

This disclosure bypasses editorial expectations and may expose sensitive or internal-only content unintentionally. It does not require complex interaction or elevated permissions. It is triggered by standard reference configurations and view templates.

Solution: 

Install the latest version:

• If you use the CivicTheme theme for Drupal 10.x / 11.x, upgrade to CivicTheme-1.12.0

Reported By: 

• Lee Rowlands (larowlan) of the Drupal Security Team

Fixed By: 

• Alan Cole (alan.cole)
• Daniel (danielgry)
• Fiona Morrison (fionamorrison23)
• Suchi Garg (gargsuchi)
• Joshua Fernandes (joshua1234511)
• Lee Rowlands (larowlan) of the Drupal Security Team
• Richard Gaunt (richardgaunt)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team