CVE-2025-13947

| EUVD-2025-200738 HIGH
2025-12-03 [email protected]
7.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 15, 2026 - 16:14 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 16:14 euvd
EUVD-2025-200738
CVE Published
Dec 03, 2025 - 10:15 nvd
HIGH 7.4

Tags

Information Disclosure Ubuntu Debian Redhat Suse Safari Apple

Description

A flaw was found in WebKitGTK. This vulnerability allows remote, user-assisted information disclosure that can reveal any file the user is permitted to read via abusing the file drag-and-drop mechanism where WebKitGTK does not verify that drag operations originate from outside the browser.

Analysis

A flaw was found in WebKitGTK. This vulnerability allows remote, user-assisted information disclosure that can reveal any file the user is permitted to read via abusing the file drag-and-drop mechanism where WebKitGTK does not verify that drag operations originate from outside the browser.

Technical Context

Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls. This vulnerability is classified as Origin Validation Error (CWE-346).

Affected Products

Affected: WebKitGTK

Remediation

Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.

Priority Score

37
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +37
POC: 0

Vendor Status

Ubuntu

Priority: Medium
webkitgtk
Release Status Version
jammy DNE -
noble DNE -
plucky DNE -
questing DNE -
upstream needs-triage -
bionic ignored -
xenial ignored -
webkit2gtk
Release Status Version
xenial ignored -
bionic ignored -
focal ignored -
upstream released 2.50.3
jammy released 2.50.3-0ubuntu0.22.04.1
noble released 2.50.3-0ubuntu0.24.04.1
plucky released 2.50.3-0ubuntu0.25.04.1
questing released 2.50.3-0ubuntu0.25.10.1
qtwebkit-source
Release Status Version
xenial ignored -
bionic ignored -
jammy DNE -
noble DNE -
plucky DNE -
questing DNE -
upstream needs-triage -
qtwebkit-opensource-src
Release Status Version
xenial ignored -
bionic ignored -
focal ignored -
jammy ignored -
noble ignored -
plucky DNE -
questing DNE -
upstream needs-triage -
wpewebkit
Release Status Version
focal ignored -
jammy ignored -
noble DNE -
plucky DNE -
questing DNE -
upstream released 2.50.3-1
USN-7941-1

Debian

webkit2gtk
Release Status Fixed Version Urgency
bullseye fixed 2.50.3-1~deb11u1 -
bullseye (security) fixed 2.50.4-1~deb11u1 -
bookworm, bookworm (security) fixed 2.50.4-1~deb12u1 -
trixie (security), trixie fixed 2.50.4-1~deb13u1 -
forky fixed 2.50.5-1 -
sid fixed 2.50.6-1 -
bookworm fixed 2.50.3-1~deb12u1 -
trixie fixed 2.50.3-1~deb13u1 -
(unstable) fixed 2.50.3-1 -
wpewebkit
Release Status Fixed Version Urgency
bullseye (security), bullseye vulnerable 2.38.6-1~deb11u1 -
bookworm vulnerable 2.38.6-1 -
trixie vulnerable 2.48.3-1 -
forky fixed 2.50.5-1 -
sid fixed 2.50.6-1 -
bullseye fixed (unfixed) end-of-life
(unstable) fixed 2.50.3-1 -
DLA-4399-1 DSA-6074-1

Share

CVE-2025-13947 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy