Cross-Site Scripting Vulnerability in Drupal Lightgallery by Drupal
CVE-2025-48447

7.1HIGH

Key Information:

Vendor

Drupal
Status
Lightgallery
Vendor
CVE Published:
11 June 2025

What is CVE-2025-48447?

A Cross-Site Scripting (XSS) vulnerability exists in the Lightgallery module for Drupal, enabling attackers to inject malicious scripts into web pages viewed by users. This flaw can compromise user data and exploit browser security, affecting all versions from 0.0.0 up to but not including 1.6.0. It is crucial for users to apply the latest updates and adhere to security best practices to mitigate potential risks.

Affected Version(s)

Lightgallery 0.0.0 < 1.6.0

References

https://www.drupal.org/sa-contrib-2025-069

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Pierre Rudloff (prudloff)
Murilo Henrique Pucci (murilohp)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
Pierre Rudloff (prudloff)
.
CVE-2025-48447 : Cross-Site Scripting Vulnerability in Drupal Lightgallery by Drupal