drupal-pattern-lab/unified-twig-extensions CVE-2025-11570
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Versions of the package drupal-pattern-lab/unified-twig-extensions from 0.0.0 are vulnerable to Cross-site Scripting (XSS) due to insufficient filtering of data. Note: This is exploitable only if the code is executed outside of Drupal; the function is intended to be shared between Drupal and Pattern Lab. The package drupal-pattern-lab/unified-twig-extensions is unmaintained, the fix for this issue exists in version 1.1.1 of drupal/unified_twig_ext
AnalysisAI
Cross-site scripting (XSS) in drupal-pattern-lab/unified-twig-extensions (all versions from 0.0.0) allows authenticated users to inject malicious scripts through insufficient output filtering, but only when the code is executed outside of Drupal environments such as Pattern Lab. The package is unmaintained; the vulnerability is fixed in the successor drupal/unified_twig_ext version 1.1.1. EPSS exploitation probability is extremely low at 0.02%, and no public exploit code has been identified.
Technical ContextAI
The drupal-pattern-lab/unified-twig-extensions package provides shared Twig template functions intended for use in both Drupal and Pattern Lab environments. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) in the link.function.php file, where user-supplied data is rendered into HTML without proper escaping or sanitization. While Drupal's core templating system applies automatic output filtering via its theme system, the shared function lacks these safeguards when invoked directly in Pattern Lab or other non-Drupal contexts. The affected code path processes user input into HTML link elements without validating or escaping attribute values or text content.
Affected ProductsAI
drupal-pattern-lab/unified-twig-extensions all versions from 0.0.0 are affected. The package is available via Composer/Packagist. The vulnerability is fixed in the maintained successor package drupal/unified_twig_ext version 1.1.1 and later. CVE references: https://security.snyk.io/vuln/SNYK-PHP-DRUPALPATTERNLABUNIFIEDTWIGEXTENSIONS-8400877 and Drupal security advisory https://www.drupal.org/sa-contrib-2023-041.
RemediationAI
Primary remediation is to migrate from the unmaintained drupal-pattern-lab/unified-twig-extensions to drupal/unified_twig_ext version 1.1.1 or later, which includes the XSS fix. Update composer.json to require 'drupal/unified_twig_ext': '^1.1.1' and run composer update. For organizations unable to migrate immediately, restrict execution of this package to Drupal environments only, where automatic output filtering mitigates the vulnerability - avoid importing the package directly in Pattern Lab or standalone scripts. If the package must run outside Drupal, manually apply output escaping via Twig's |escape filter or PHP's htmlspecialchars() function to all user-controlled variables passed to the link function. Note that these workarounds add maintenance burden and should be treated as temporary measures only.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today