CVE-2025-12848
HIGH EPSS 22.0%
Published Nov 26, 20257mo ago · Modified Jun 17, 20262w ago
7.0 CVSS 4.0
Published Nov 26, 2025 7mo ago
Last Modified Jun 17, 2026 2w ago
Description
Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser. The issue is present in a third-party library and has been addressed in a patch available at https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:U/V:D/RE:L/U:Amber Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction A
Scope N
Threat Intelligence
EPSS Exploit Probability
22.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-79 Cross-site Scripting Injection
Affected Products 6
| Vendor | Product | Version | Range |
|---|---|---|---|
| webform_multiple_file_upload_project | webform_multiple_file_upload | 7.x-1.2 | any |
| webform_multiple_file_upload_project | webform_multiple_file_upload | 7.x-1.3 | any |
| webform_multiple_file_upload_project | webform_multiple_file_upload | 7.x-1.4 | any |
| webform_multiple_file_upload_project | webform_multiple_file_upload | 7.x-1.5 | any |
| webform_multiple_file_upload_project | webform_multiple_file_upload | 7.x-1.6 | any |
| webform_multiple_file_upload_project | webform_multiple_file_upload | 7.x-1.x | any |
References 4
- d7es.tag1.com https://d7es.tag1.com/security-advisories/webform-multiple-file-upload-critical-cross-site-scripting
- d7security.org https://www.d7security.org/security-advisories/D7SECURITY-SA-CONTRIB-2025-001/
- drupal.org https://www.drupal.org/node/3105204
- herodevs.com https://www.herodevs.com/vulnerability-directory/cve-2025-12848
Remediation
- drupal.org https://www.drupal.org/node/3105204