CVE-2025-13081

State: PUBLISHED · Published: 2025-11-18 · Updated: 2026-02-26 · Assigner: drupal

Description

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

CWE

CWE-915 — CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
CWE-502 — CWE-502 Deserialization of Untrusted Data

Affected

Drupal / Drupal core — v=8.0.0 <10.4.9 [affected]; v=10.5.0 <10.5.6 [affected]; v=11.0.0 <11.1.9 [affected]; v=11.2.0 <11.2.8 [affected]

CVSS

(none)

References

https://www.drupal.org/sa-core-2025-006

Source

cvelistV5-main/cves/2025/13xxx/CVE-2025-13081.json