Home

Description

Missing Authorization vulnerability in Drupal Facets allows Forceful Browsing.This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1.

PUBLISHED Reserved 2025-08-27 | Published 2025-10-10 | Updated 2025-10-10 | Assigner drupal

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

0.0.0 before 2.0.10
affected

3.0.0 before 3.0.1
affected

Credits

Damien McKenna (damienmckenna) finder

Benji Fisher (benjifisher) remediation developer

Joris Vercammen (borisson_) remediation developer

Damien McKenna (damienmckenna) remediation developer

Thomas Seidl (drunken monkey) remediation developer

Jimmy Henderickx (strykaizer) remediation developer

Benji Fisher (benjifisher) coordinator

Damien McKenna (damienmckenna) coordinator

Greg Knaddison (greggles) coordinator

Drew Webber (mcdruid) coordinator

Cathy Theys (yesct) coordinator

References

www.drupal.org/sa-contrib-2025-099

cve.org (CVE-2025-9549)

nvd.nist.gov (CVE-2025-9549)

Download JSON