Cross-Site Scripting Vulnerability in Drupal Facets
CVE-2025-9550

6.1MEDIUM

Key Information:

Vendor

Drupal
Status
Facets
Vendor
CVE Published:
10 October 2025

What is CVE-2025-9550?

The Drupal Facets module is vulnerable to Cross-Site Scripting (XSS) due to improper handling of input during webpage generation. Attackers could exploit this vulnerability to inject malicious scripts, potentially compromising user sessions or redirecting users to malicious sites. This affects all versions prior to 2.0.10 and any range from 3.0.0 before 3.0.1, emphasizing the importance of updating the module promptly to enhance security.

Affected Version(s)

Facets 0.0.0 < 2.0.10

Facets 3.0.0 < 3.0.1

References

https://www.drupal.org/sa-contrib-2025-100

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Pierre Rudloff (prudloff)
Joris Vercammen (borisson_)
Thomas Seidl (drunken monkey)
Pierre Rudloff (prudloff)
Damien McKenna (damienmckenna)
Ivo Van Geertruyen (mr.baileys)
Pierre Rudloff (prudloff)
Drew Webber (mcdruid)
JSON
.
CVE-2025-9550 : Cross-Site Scripting Vulnerability in Drupal Facets