Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-May-21
Vulnerability:
Cross Site Scripting
Affected versions:
<1.6.0
CVE IDs:
CVE-2025-48447
Description:
This module integrates Drupal with LightGallery, enabling the use of the LightGallery library with any image field or view.
The module does not adequately sanitize user input in the image field’s "alt" attribute, potentially allowing cross-site scripting (XSS) attacks when tags or scripts are inserted.
This vulnerability is partially mitigated by the requirement that an attacker must have permission to create content containing an image field configured to use the LightGallery format.
Solution:
Install the latest version:
- If you use the Lightgallery module, upgrade to Lightgallery 8.x-1.6
Reported By:
- Pierre Rudloff (prudloff) Provisional Member of the Drupal Security Team
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Pierre Rudloff (prudloff) Provisional Member of the Drupal Security Team
