Drupal Releases Critical Security Updates to Address XSS, Access Bypass, and Gadget Chain Vulnerabilities

Drupal has released multiple security updates to address critical and moderately critical vulnerabilities affecting its core versions. Website administrators are strongly advised to update their systems immediately to mitigate security risks.  

CrossSite Scripting (XSS) – Critical (SACORE2025001)  

A critical crosssite scripting (XSS) vulnerability has been identified in Drupal core. The issue arises due to insufficient filtering of error messages under certain conditions, potentially allowing attackers to inject malicious scripts. While no public exploit has been documented yet, security experts warn that one may surface soon. Websites using Drupal Steward are protected but should still update their software promptly.  

Affected Versions:  

Drupal 8.0.0 to 10.3.12  
Drupal 10.4.0 to 10.4.2  
Drupal 11.0.0 to 11.0.11  
Drupal 11.1.0 to 11.1.2  

Solution: Update to the latest patched versions:  

Drupal 10.3.13  
Drupal 10.4.3  
Drupal 11.0.12  
Drupal 11.1.3  

Access Bypass – Moderately Critical (SACORE2025002)  

A flaw in Drupal's bulk operations system allows authorized users to modify content fields they should not have permission to change. The issue affects the Content page (/admin/content) and other custom views where bulk actions are enabled.  

To mitigate this risk, Drupal has updated its permissions framework, now requiring the "Administer content" permission for bulk actions like publishing, promoting, and unpublishing content.  

Affected Versions:  

Drupal 8.0.0 to 10.3.12  
Drupal 10.4.0 to 10.4.2  
Drupal 11.0.0 to 11.0.11  
Drupal 11.1.0 to 11.1.2  

Solution: Update to the latest versions mentioned above.  

Gadget Chain Vulnerability – Moderately Critical (SACORE2025003)  

A potential PHP Object Injection vulnerability in Drupal core could lead to Arbitrary File Inclusion and Remote Code Execution if paired with another exploit. Although this flaw is not directly exploitable, it poses a significant risk when combined with other vulnerabilities. No known exploits exist in Drupal core at this time.  

Affected Versions:  

Drupal 8.0.0 to 10.3.12  
Drupal 10.4.0 to 10.4.2  
Drupal 11.0.0 to 11.0.11  
Drupal 11.1.0 to 11.1.2  

Solution: Upgrade to the latest patched versions.  

Call to Action  

Administrators are urged to update their Drupal installations immediately to prevent potential exploitation. Drupal 10 versions prior to 10.3, as well as Drupal 8 and 9, are end-of-life and no longer receive security coverage.  

For more information, visit the official Drupal Security Advisories.