Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-August-27
Vulnerability:
Cross Site Scripting
Affected versions:
<2.0.10 || >=3.0.0 <3.0.1
CVE IDs:
CVE-2025-9550
Description:
This module enables you to to easily create and manage faceted search interfaces.
The module doesn’t sufficiently filter certain user-provided text leading to a cross site scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer facets”.
CVSS risk score (experimental) 4.8 / Medium
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N
Solution:
Install the latest version:
- If you use the Facets module for Drupal 8.x or higher, upgrade to Facets 2.0.10 or Facets 3.0.1
Reported By:
Fixed By:
- Joris Vercammen (borisson_)
- Thomas Seidl (drunken monkey)
- Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
Coordinated By:
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
- Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
