Summary
Security updates address 3 vulnerabilities in Drupal Core, one of which is rated “critical.”
Risk
Estimate of vulnerability impact on the reference community: High (65.51)
Type
- Arbitrary Code Execution
- Security Restrictions Bypass
Affected products and versions
Drupal
- 10.3.x, versions prior to 10.3.13
- 10.4.x, versions prior to 10.4.3
- 11.0.x, versions prior to 11.0.12
- 11.1.x, versions prior to 11.1.3
Mitigation actions
In line with vendor statements, it is recommended to update vulnerable products following the instructions in the security bulletin available in the References section.
Please note that for all versions of Drupal 8, Drupal 9 and for Drupal 10 versions prior to 10.3 the vendor will not release any workaround and/or patch considering the end of support (EOL) date.
References
https://www.drupal.org/sa-core-2025-001
https://www.drupal.org/sa-core-2025-002
https://www.drupal.org/sa-core-2025-003
1This estimate is made taking into account several parameters, including: CVSS, availability of patches/workarounds and PoC, diffusion of the affected software/devices in the reference community.
