Cross-Site Scripting Vulnerability in Drupal Facets
CVE-2025-9550

Currently unrated

Key Information:

Vendor

Drupal
Status
Facets
Vendor
CVE Published:
10 October 2025

What is CVE-2025-9550?

The Drupal Facets module is vulnerable to Cross-Site Scripting (XSS) due to improper handling of input during webpage generation. Attackers could exploit this vulnerability to inject malicious scripts, potentially compromising user sessions or redirecting users to malicious sites. This affects all versions prior to 2.0.10 and any range from 3.0.0 before 3.0.1, emphasizing the importance of updating the module promptly to enhance security.

Affected Version(s)

Facets 0.0.0 < 2.0.10

Facets 3.0.0 < 3.0.1

References

https://www.drupal.org/sa-contrib-2025-100

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Pierre Rudloff (prudloff)
Joris Vercammen (borisson_)
Thomas Seidl (drunken monkey)
Pierre Rudloff (prudloff)
Damien McKenna (damienmckenna)
Ivo Van Geertruyen (mr.baileys)
Pierre Rudloff (prudloff)
Drew Webber (mcdruid)
JSON
.
CVE-2025-9550 : Cross-Site Scripting Vulnerability in Drupal Facets