composer

Drupal CivicTheme Design System allows Cross-Site Scripting (XSS)

Moderate severity GitHub Reviewed Published Oct 30, 2025 to the GitHub Advisory Database • Updated Oct 30, 2025

Package

drupal/civictheme (Composer)

Affected versions

< 1.12.0

Patched versions

1.12.0

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS). This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-12083
https://www.drupal.org/sa-contrib-2025-113

Published by the National Vulnerability Database

Oct 30, 2025

Published to the GitHub Advisory Database Oct 30, 2025

Reviewed Oct 30, 2025

Last updated Oct 30, 2025

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Drupal CivicTheme Design System allows Cross-Site Scripting (XSS)

Package

Affected versions

Patched versions

Description

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Exploit Prediction Scoring System (EPSS)

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE ID

GHSA ID

Source code

Uh oh!