How to fix CVE-2025-12848?

Within 24 hours: Identify all Drupal 7.x instances using Webform Multiple File Upload module and verify installed versions against the affected range (7.x-1.2 through 7.x-1.6). Within 7 days: Apply vendor patch to upgrade to version 7.x-1.7 or later, or if not yet released, disable file upload functionality or implement strict file type validation rules on affected webform nodes. Within 30 days: Conduct audit of webforms with file uploads to confirm file validation is enabled and review upload logs for suspicious filenames containing script tags or encoded payloads.

Is PHP affected by CVE-2025-12848?

Drupal 7.x installations using the Webform Multiple File Upload module (versions 7.x-1.2 through 7.x-1.6) are vulnerable to stored cross-site scripting attacks when file type validation is disabled, allowing unauthenticated attackers to inject malicious code through specially crafted filenames.

CVE-2025-12848

HIGH

2025-11-26 [email protected]

7.0

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:U/V:D/RE:L/U:Amber

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Mar 26, 2026 - 21:22 vuln.today

Patch Released

Mar 26, 2026 - 21:22 nvd

Patch available

CVE Published

Nov 26, 2025 - 02:15 nvd

HIGH 7.0

Description

Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser. The issue is present in a third-party library and has been addressed in a patch available at https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module.

Analysis

Cross-site scripting (XSS) in Drupal 7.x Webform Multiple File Upload module versions 7.x-1.2 through 7.x-1.6 enables unauthenticated attackers to execute arbitrary JavaScript in victims' browsers by uploading files with malicious filenames to Webform nodes where file type validation is disabled. The vulnerability originates in the third-party fyneworks/multifile library's file name renderer. With EPSS at 0.07% (21st percentile) and no public exploit identified at time of analysis, exploitation probability remains low despite the CVSS 7.0 score.

Technical Context

The vulnerability affects Webform Multiple File Upload module for Drupal 7.x, specifically versions 7.x-1.2, 7.x-1.3, 7.x-1.4, 7.x-1.5, 7.x-1.6, and 7.x-1.x development builds (confirmed via CPE strings cpe:2.3:a:webform_multiple_file_upload_project:webform_multiple_file_upload). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), where the fyneworks/multifile JavaScript library fails to sanitize user-supplied filenames before rendering them in the browser DOM. When file type validation is disabled on Multifile fields, attackers can craft filenames containing HTML/JavaScript payloads that execute when the filename is displayed, bypassing output encoding protections. The issue resides in third-party client-side code rather than the Drupal module itself.

Affected Products

Webform Multiple File Upload module for Drupal 7.x versions 7.x-1.2, 7.x-1.3, 7.x-1.4, 7.x-1.5, 7.x-1.6, and all 7.x-1.x development builds are confirmed vulnerable via CPE identifiers. The vulnerability is present in the underlying fyneworks/multifile JavaScript library used by these module versions. Official vendor advisories are available at https://www.drupal.org/node/3105204 (Drupal.org security notice) and https://www.d7security.org/security-advisories/D7SECURITY-SA-CONTRIB-2025-001/ (D7 Security Advisory), with additional analysis at https://d7es.tag1.com/security-advisories/webform-multiple-file-upload-critical-cross-site-scripting. Only Drupal 7.x installations with the Webform Multiple File Upload contributed module installed are affected.

Remediation

Apply the upstream fix available from the fyneworks/multifile library at https://github.com/fyneworks/multifile/pull/44 or upgrade to a fixed version of the Webform Multiple File Upload module per Drupal.org advisory https://www.drupal.org/node/3105204. The Drupal security team has released patched module versions incorporating the library fix; consult the vendor advisory for exact version numbers. Until patching is completed, implement defense-in-depth mitigations: enable strict file type validation on all Multifile fields to reject uploads with HTML/JavaScript in filenames, implement Content Security Policy headers to restrict inline script execution, and consider disabling the Webform Multiple File Upload module on public-facing forms if immediate patching is not feasible. Organizations maintaining legacy Drupal 7.x instances may consider HeroDevs extended support services (https://www.herodevs.com/vulnerability-directory/cve-2025-12848) for ongoing security maintenance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +35

POC: 0

CVE-2025-12848 vulnerability details – vuln.today

Back

CVE-2025-12848

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-12848

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code