Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-June-25
Vulnerability:
Cross-site Scripting
Affected versions:
<1.0.16
CVE IDs:
CVE-2025-48922
Description:
GLightbox module is a pure Javascript lightbox for CKEditor.
The module doesn't sufficiently filter user-supplied text for the GLightbox Javascript library leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permissions to edit content that is configured to support the Glightbox module.
Solution:
Install the latest version:
- If you use the GLightbox module, upgrade to GLightbox 1.0.16
Reported By:
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
