Cross-Site Scripting Vulnerability in Drupal Umami Analytics
CVE-2025-10931

3.8LOW

Key Information:

Vendor: Drupal
Status: Umami Analytics
Vendor: CVE Published:; 29 October 2025

What is CVE-2025-10931?

The Drupal Umami Analytics product is susceptible to a Cross-Site Scripting (XSS) vulnerability due to improper handling of input during web page generation. Attackers can exploit this flaw to execute arbitrary scripts in the context of a user's session, potentially leading to data theft, session hijacking, or defacement of the affected website. This vulnerability impacts all versions of Umami Analytics prior to 1.0.1, necessitating immediate attention to ensure the security of the application.

Affected Version(s)

Umami Analytics 0.0.0 < 1.0.1

References

https://www.drupal.org/sa-contrib-2025-109

CVSS V3.1

Score:

3.8

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 29, 2025
Vulnerability Reserved
Sep 24, 2025

Credit

Pierre Rudloff (prudloff)

Ivica Puljic (pivica)

Damien McKenna (damienmckenna)

Juraj Nemec (poker10)

Pierre Rudloff (prudloff)

JSON