Skip to main content

PHP CVE-2025-12848

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-11-26 mlhess@drupal.org
Drupal PHP XSS File Upload Webform Multiple File Upload
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:U/V:D/RE:L/U:Amber

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:U/V:D/RE:L/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
N

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 21:22 vuln.today
Patch released
Mar 26, 2026 - 21:22 nvd
Patch available
CVE Published
Nov 26, 2025 - 02:15 nvd
HIGH 7.0

DescriptionCVE.org

Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser.

The issue is present in a third-party library and has been addressed in a patch available at  https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module.

AnalysisAI

Cross-site scripting (XSS) in Drupal 7.x Webform Multiple File Upload module versions 7.x-1.2 through 7.x-1.6 enables unauthenticated attackers to execute arbitrary JavaScript in victims' browsers by uploading files with malicious filenames to Webform nodes where file type validation is disabled. The vulnerability originates in the third-party fyneworks/multifile library's file name renderer. With EPSS at 0.07% (21st percentile) and no public exploit identified at time of analysis, exploitation probability remains low despite the CVSS 7.0 score.

Technical ContextAI

The vulnerability affects Webform Multiple File Upload module for Drupal 7.x, specifically versions 7.x-1.2, 7.x-1.3, 7.x-1.4, 7.x-1.5, 7.x-1.6, and 7.x-1.x development builds (confirmed via CPE strings cpe:2.3:a:webform_multiple_file_upload_project:webform_multiple_file_upload). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), where the fyneworks/multifile JavaScript library fails to sanitize user-supplied filenames before rendering them in the browser DOM. When file type validation is disabled on Multifile fields, attackers can craft filenames containing HTML/JavaScript payloads that execute when the filename is displayed, bypassing output encoding protections. The issue resides in third-party client-side code rather than the Drupal module itself.

RemediationAI

Apply the upstream fix available from the fyneworks/multifile library at https://github.com/fyneworks/multifile/pull/44 or upgrade to a fixed version of the Webform Multiple File Upload module per Drupal.org advisory https://www.drupal.org/node/3105204. The Drupal security team has released patched module versions incorporating the library fix; consult the vendor advisory for exact version numbers. Until patching is completed, implement defense-in-depth mitigations: enable strict file type validation on all Multifile fields to reject uploads with HTML/JavaScript in filenames, implement Content Security Policy headers to restrict inline script execution, and consider disabling the Webform Multiple File Upload module on public-facing forms if immediate patching is not feasible. Organizations maintaining legacy Drupal 7.x instances may consider HeroDevs extended support services (https://www.herodevs.com/vulnerability-directory/cve-2025-12848) for ongoing security maintenance.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2025-12848 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy