Cross-Site Scripting Vulnerability in Webform Multiple File Upload Module for Drupal
CVE-2025-12848

7HIGH

Key Information:

Vendor: Drupal
Status: Drupal
Vendor: CVE Published:; 26 November 2025

What is CVE-2025-12848?

The Webform Multiple File Upload module for Drupal 7.x is vulnerable to a cross-site scripting (XSS) issue. An attacker can exploit this flaw by uploading a file with a specially crafted filename that contains malicious JavaScript code. If the file type validation is disabled on a Webform node with a Multifile field, this can result in the execution of arbitrary scripts in the victim's browser, leading to potential unauthorized access or data breaches. Users are encouraged to apply the patch provided on GitHub or update to a secure version of the module to mitigate the risk.

Affected Version(s)

Drupal 7.x

References

https://www.drupal.org/node/3105204

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 26, 2025
Vulnerability Reserved
Nov 6, 2025

JSON