Project: Drupal coreDate: 2025-March-19Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: >= 8.0.0 < 10.3.14 || >= 10.4.0 < 10.4.5 || >= 11.0.0 < 11.0.13 || >= 11.1.0 < 11.1.5CVE IDs: CVE-2025-31675Description: 

Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS).

This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.

Sites with the Link module disabled or that do not use any link fields are not affected.

Solution: 

Install the latest version:

• If you use Drupal 10.3.x, update to Drupal 10.3.14
• If you use Drupal 10.4.x, update to Drupal 10.4.5
• If you use Drupal 11.0.x, update to Drupal 11.0.13
• If you use Drupal 11.1.x, update to Drupal 11.1.5

All versions of Drupal prior to 10.3 are end-of-life and do not receive security coverage from the Drupal Security Team.

Reported By: 

• Samuel Mortenson (samuel.mortenson)

Fixed By: 

• Anna Kalata (akalata), provisional member of the Drupal Security Team
• Alex Pott (alexpott) of the Drupal Security Team
• Benji Fisher (benjifisher) of the Drupal Security Team
• Bram Driesen (bramdriesen), provisional member of the Drupal Security Team
• catch (catch) of the Drupal Security Team
• Alex Bronstein (effulgentsia) of the Drupal Security Team
• Jen Lampton (jenlampton), provisional member of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Joseph Zhao (pandaski), provisional member of the Drupal Security Team
• Adam G-H (phenaproxima)
• Samuel Mortenson (samuel.mortenson)
• Jess (xjm) of the Drupal Security Team