Object Injection Vulnerability in Drupal Core by Drupal
CVE-2025-13081

5.9MEDIUM

Key Information:

Vendor: Drupal
Status: Drupal Core
Vendor: CVE Published:; 18 November 2025

What is CVE-2025-13081?

A vulnerability exists in Drupal core that allows for object injection due to improperly controlled modifications of dynamically-determined object attributes. This affects specific versions of Drupal core and poses security risks that could potentially be exploited by attackers to manipulate application behavior. Administrators are urged to update to the patched versions to mitigate this risk.

Affected Version(s)

Drupal core 8.0.0 < 10.4.9

Drupal core 10.5.0 < 10.5.6

Drupal core 11.0.0 < 11.1.9

References

https://www.drupal.org/sa-core-2025-006

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 18, 2025
Vulnerability Reserved
Nov 12, 2025

Credit

anzuukino

Anna Kalata (akalata)

catch (catch)

Neil Drumm (drumm)

Greg Knaddison (greggles)

Lee Rowlands (larowlan)

Dave Long (longwave)

Drew Webber (mcdruid)

Juraj Nemec (poker10)

Ra MÃ¤nd (ram4nd)

Jess (xjm)

catch (catch)

Lee Rowlands (larowlan)

Dave Long (longwave)

Drew Webber (mcdruid)

Juraj Nemec (poker10)

JSON