Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

Affected Packages

Packagist drupal/core

Affected versions: 9.3.0 (fixed in 9.3.6)

Packagist drupal/core

Affected versions: 8.0.0 (fixed in 9.2.13)

Packagist drupal/core

Affected versions: 7.0.0 (fixed in 7.88)

Related CVEs

CVE-2022-25271

Key Information

GHSA ID

GHSA-fmfv-x8mp-5767

Published

February 18, 2022 12:00 AM

Last Modified

March 1, 2022 9:17 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

drupal/core

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.