CVE-2025-13081

MEDIUM EPSS 12.8%

Published Nov 18, 20257mo ago · Modified Jun 17, 20261w ago

5.9 CVSS 3.1

Medium

Published Nov 18, 2025 7mo ago

Last Modified Jun 17, 2026 1w ago

Description

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

CVSS Details

Base Score

5.9

Exploitability

0.7

Impact

5.2

Vector string

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Attack Vector Network

Attack Complexity High

Privileges Required High

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability None

Threat Intelligence

EPSS Exploit Probability

12.8% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-502 Deserialization of Untrusted Data Validation

CWE-915

Affected Products 4

Vendor	Product	Version	Range
drupal	drupal	*	≥8.0.0 – <10.4.9
drupal	drupal	*	≥10.5.0 – <10.5.6
drupal	drupal	*	≥11.0.0 – <11.1.9
drupal	drupal	*	≥11.2.0 – <11.2.8

References 1

drupal.org https://www.drupal.org/sa-core-2025-006

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.