Cross-Site Scripting Vulnerability in Drupal Simple Multi Step Form
CVE-2025-12761

3.5LOW

Key Information:

Vendor: Drupal
Status: Simple Multi Step Form
Vendor: CVE Published:; 18 November 2025

What is CVE-2025-12761?

The vulnerability in the Simple multi step form plugin for Drupal arises from improper sanitization of user input during web page generation. This allows an attacker to inject malicious scripts that can be executed in the context of a user's browser, potentially compromising sensitive information or hijacking user sessions. Affected versions include all before 2.0.0, underscoring the importance of updating to the latest secured release.

Affected Version(s)

Simple multi step form 0.0.0 < 2.0.0

References

https://www.drupal.org/sa-contrib-2025-116

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 18, 2025
Vulnerability Reserved
Nov 5, 2025

Credit

Ide Braakman (idebr)

Diosbel MezquÃa (dmezquia)

Ide Braakman (idebr)

Vitaliy Bogomazyuk (vitaliyb98)

Greg Knaddison (greggles)

Ivo Van Geertruyen (mr.baileys)

Juraj Nemec (poker10)

JSON