Cross-site Scripting Vulnerability in Drupal Unified Twig Extensions
CVE-2025-11570

4.8MEDIUM

Key Information:

Vendor: Drupal
Status: Drupal-pattern-lab/unified-twig-extensions
Vendor: CVE Published:; 10 October 2025

What is CVE-2025-11570?

The Unified Twig Extensions package for Drupal is susceptible to Cross-site Scripting (XSS) due to inadequate data filtering. This vulnerability can be exploited if the code is executed outside of the Drupal environment, highlighting a major security risk for users relying on this package. It is critical to upgrade to version 1.1.1 of the unified twig extensions to mitigate this security flaw, as the package itself is unmaintained.

Affected Version(s)

drupal-pattern-lab/unified-twig-extensions 0.0.0

References

https://security.snyk.io/vuln/SNYK-PHP-DRUPALPATTERNLABUN...

https://github.com/drupal-pattern-lab/unified-twig-extens...

https://www.drupal.org/sa-contrib-2023-041

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 10, 2025
Vulnerability Reserved
Oct 9, 2025

Credit

Pierre Rudloff

JSON