Vulnerability Description
Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser. The issue is present in a third-party library and has been addressed in a patch available at https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Webform Multiple File Upload Project | Webform Multiple File Upload | 7.x-1.2 |
Related Weaknesses (CWE)
References
- https://d7es.tag1.com/security-advisories/webform-multiple-file-upload-critical-
- https://www.d7security.org/security-advisories/D7SECURITY-SA-CONTRIB-2025-001/
- https://www.drupal.org/node/3105204PatchVendor Advisory
- https://www.herodevs.com/vulnerability-directory/cve-2025-12848
FAQ
What is CVE-2025-12848?
CVE-2025-12848 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploadin...
How severe is CVE-2025-12848?
CVE-2025-12848 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-12848?
Check the references section above for vendor advisories and patch information. Affected products include: Webform Multiple File Upload Project Webform Multiple File Upload.