The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to cross-site scripting.
This advisory is not covered by Drupal Steward.
Also see Entity Embed – Moderately critical – Cross Site Request Forgery – SA-CONTRIB-2021-028 which addresses a similar vulnerability for that module.
Updated 18:15 UTC to clarify text.
Install the latest version:
If you are using Drupal 9.2, update to Drupal 9.2.6.
If you are using Drupal 9.1, update to Drupal 9.1.13.
If you are using Drupal 8.9, update to Drupal 8.9.19.
Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.
Drupal 7 core is not affected.
Sean Blommaert
Alex Bronstein of the Drupal Security Team
Marcos Cano
Lee Rowlands of the Drupal Security Team
Adam G-H
Jess of the Drupal Security Team
Drew Webber of the Drupal Security Team
Neil Drumm of the Drupal Security Team
Brian Tofte-Schumacher
More Stories
Multiple Vulnerabilities in Fortinet Products Could Allow for Remote Code Execution
Multiple vulnerabilities have been discovered Fortinet Products, the most severe of which could allow for remote code execution. FortiManager...
Critical Patches Issued for Microsoft Products, February 11, 2025
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in...
Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Successful...
python3.11-3.11.11-5.fc40
FEDORA-2025-f613fe78b6 Packages in this update: python3.11-3.11.11-5.fc40 Update description: Security fix for CVE-2025-0938 Read More
python3.11-3.11.11-5.fc41
FEDORA-2025-81304012fc Packages in this update: python3.11-3.11.11-5.fc41 Update description: Security fix for CVE-2025-0938 Read More
python3.10-3.10.16-5.fc40
FEDORA-2025-10e053d399 Packages in this update: python3.10-3.10.16-5.fc40 Update description: Security fix for CVE-2025-0938 Read More