CVE-2025-12848

🗓️ 26 Nov 2025 01:28:33Reported by drupalType

CVE-2025-12848: XSS via filename in Webform Multiform module for Drupal 7 during unauthenticated uploads.

Reporter	Title	Published	Views	Family All 10
ATTACKERKB	CVE-2025-12848	26 Nov 202501:28	–	attackerkb
Circl	CVE-2025-12848	26 Nov 202504:06	–	circl
CNNVD	Drupal 安全漏洞	26 Nov 202500:00	–	cnnvd
Cvelist	CVE-2025-12848 XSS vulnerability when rendering filename in Webform Multiform	26 Nov 202501:28	–	cvelist
EUVD	EUVD-2025-199686	26 Nov 202501:28	–	euvd
NVD	CVE-2025-12848	26 Nov 202502:15	–	nvd
Positive Technologies	PT-2025-48120	26 Nov 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-12848	2 Dec 202519:21	–	redhatcve
Snyk	Cross-site Scripting (XSS)	26 Nov 202502:41	–	snyk
Vulnrichment	CVE-2025-12848 XSS vulnerability when rendering filename in Webform Multiform	26 Nov 202501:28	–	vulnrichment

NVD

Node

webform_multiple_file_upload_project webform_multiple_file_uploadMatch7.x-1.2drupal

webform_multiple_file_upload_project webform_multiple_file_uploadMatch7.x-1.3drupal

webform_multiple_file_upload_project webform_multiple_file_uploadMatch7.x-1.4drupal

webform_multiple_file_upload_project webform_multiple_file_uploadMatch7.x-1.5drupal

webform_multiple_file_upload_project webform_multiple_file_uploadMatch7.x-1.6drupal

webform_multiple_file_upload_project webform_multiple_file_uploadMatch7.x-1.xdevdrupal

[
  {
    "vendor": "Drupal",
    "product": "Drupal",
    "collectionURL": "https://www.drupal.org/project/webform_multifile",
    "packageName": "Webform Multifile Upload",
    "repo": "https://git.drupalcode.org/project/webform_multifile",
    "versions": [
      {
        "status": "affected",
        "version": "7.x-1.0",
        "lessThanOrEqual": "7.x-1.6",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
d7security	www.d7security.org/security-advisories/D7SECURITY-SA-CONTRIB-2025-001/
herodevs	www.herodevs.com/vulnerability-directory/cve-2025-12848
drupal	www.drupal.org/node/3105204
d7es	www.d7es.tag1.com/security-advisories/webform-multiple-file-upload-critical-cross-site-scripting

26 Mar 2026 21:17Current

6Medium risk

Vulners AI Score6

CVSS 3.16.1

CVSS 47

EPSS0.00018

SSVC

CWE-79