Forceful Browsing Vulnerability in Drupal Core by Drupal
CVE-2025-13080

5.3MEDIUM

Key Information:

Vendor

Drupal
Status
Drupal Core
Vendor
CVE Published:
18 November 2025

What is CVE-2025-13080?

A vulnerability in Drupal core known for allowing forceful browsing, which could enable an attacker to access restricted content by bypassing intended controls. This issue affects various versions of Drupal core, creating security risks for web applications that utilize these versions.

Affected Version(s)

Drupal core 8.0.0 < 10.4.9

Drupal core 10.5.0 < 10.5.6

Drupal core 11.0.0 < 11.1.9

References

https://www.drupal.org/sa-core-2025-005

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dragos Dumitrescu (dragos-dumi)
yasser ALLAM (inzo_)
Nils Destoop (nils.destoop)
Sven Decabooter (svendecabooter)
zhero
Alex Pott (alexpott)
catch (catch)
cilefen (cilefen)
Jen Lampton (jenlampton)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Nils Destoop (nils.destoop)
Juraj Nemec (poker10)
Ra MÀnd (ram4nd)
Jess (xjm)
catch (catch)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Jess (xjm)
JSON
.
CVE-2025-13080 : Forceful Browsing Vulnerability in Drupal Core by Drupal