CVE-2025-11570 | THREATINT

Description

Versions of the package drupal-pattern-lab/unified-twig-extensions from 0.0.0 are vulnerable to Cross-site Scripting (XSS) due to insufficient filtering of data. **Note:** This is exploitable only if the code is executed outside of Drupal; the function is intended to be shared between Drupal and Pattern Lab. The package drupal-pattern-lab/unified-twig-extensions is unmaintained, the fix for this issue exists in version 1.1.1 of [drupal/unified_twig_ext](https://www.drupal.org/project/unified_twig_ext)

PUBLISHED Reserved 2025-10-09 | Published 2025-10-10 | Updated 2025-10-10 | Assigner snyk

MEDIUM: 4.8CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

MEDIUM: 4.6CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:P

Problem types

Cross-site Scripting (XSS)

Credits

Pierre Rudloff

References

security.snyk.io/...LPATTERNLABUNIFIEDTWIGEXTENSIONS-8400877

github.com/...twig-components/functions/link.function.php#L9

www.drupal.org/sa-contrib-2023-041

cve.org (CVE-2025-11570)

nvd.nist.gov (CVE-2025-11570)

Download JSON