Listen to this Post
The vulnerability resides in the Webform Multiple File Upload module for Drupal 7.x, specifically within the file name rendering functionality. This cross-site scripting (XSS) flaw arises from insufficient sanitization of user-supplied input in filenames. An unauthenticated attacker can exploit this by submitting a form that includes a Multifile upload field with file type validation disabled. The attacker uploads a file with a crafted filename containing JavaScript code, such as ““. When the uploaded file’s name is displayed on the Drupal site—for instance, in a confirmation message or file listing—the embedded script is executed in the browser of any user viewing that content. This occurs because the module fails to properly escape HTML entities in the filename before output. The issue originates in a third-party library, fyneworks/multifile, used by the module. The vulnerability allows for the execution of arbitrary web scripts in the context of the victim’s session, leading to potential session hijacking, data manipulation, or site defacement. The patch modifies the library to properly sanitize filename output by implementing HTML entity encoding.
Platform: Drupal Webform Module
Version: 7.x
Vulnerability: XSS in filename
Severity: Critical
Date: 11/25/2025
Prediction: Patch released 12/05/2025
What Undercode Say:
$ drush pml | grep webform_multifile
$ cd sites/all/modules/webform_multifile
$ wget https://patch-diff.githubusercontent.com/raw/fyneworks/multifile/pull/44.patch
$ patch -p1 < 44.patch
$ drush updatedb
$ drush cc all
How Exploit:
Upload malicious filename.
Disable file validation.
Trigger filename rendering.
Protection from this CVE
Apply provided patch.
Update module version.
Enable file validation.
Impact:
Arbitrary script execution.
Session hijacking.
Data theft.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
