Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

Drupal 7 is not affected.

Affected Packages

Packagist drupal/core

Affected versions: 8.0.0 (fixed in 9.2.18)

Packagist drupal/core

Affected versions: 9.3.0 (fixed in 9.3.12)

Related CVEs

CVE-2022-25273

Key Information

GHSA ID

GHSA-g36h-4jr6-qmm9

Published

April 26, 2023 3:30 PM

Last Modified

May 10, 2023 12:38 AM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

drupal/core

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.