CVE-2025-12848

HIGH EPSS 22.0%
Published Nov 26, 20257mo ago · Modified Jun 17, 20262w ago
7.0 CVSS 4.0
High
Find Similar
Published Nov 26, 2025 7mo ago
Last Modified Jun 17, 2026 2w ago

Description

Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser. The issue is present in a third-party library and has been addressed in a patch available at  https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module.

CVSS Details

Base Score
7.0
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:U/V:D/RE:L/U:Amber
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction A
Scope N

Threat Intelligence

EPSS Exploit Probability
22.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 6

VendorProductVersionRange
webform_multiple_file_upload_projectwebform_multiple_file_upload7.x-1.2any
webform_multiple_file_upload_projectwebform_multiple_file_upload7.x-1.3any
webform_multiple_file_upload_projectwebform_multiple_file_upload7.x-1.4any
webform_multiple_file_upload_projectwebform_multiple_file_upload7.x-1.5any
webform_multiple_file_upload_projectwebform_multiple_file_upload7.x-1.6any
webform_multiple_file_upload_projectwebform_multiple_file_upload7.x-1.xany

References 4

  • d7es.tag1.com https://d7es.tag1.com/security-advisories/webform-multiple-file-upload-critical-cross-site-scripting
  • d7security.org https://www.d7security.org/security-advisories/D7SECURITY-SA-CONTRIB-2025-001/
  • drupal.org https://www.drupal.org/node/3105204
    PatchVendor Advisory
  • herodevs.com https://www.herodevs.com/vulnerability-directory/cve-2025-12848

Remediation

  • drupal.org https://www.drupal.org/node/3105204
    PatchVendor Advisory