Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-August-27
Security risk:
Vulnerability:
Information Disclosure
Affected versions:
<2.0.10 || >=3.0.0 <3.0.1
CVE IDs:
CVE-2025-9549
Description:
This module enables you to to easily create and manage faceted search interfaces.
The module doesn't sufficiently check access to entities when they are displayed as facets.
This vulnerability is mitigated by the fact that only sites that show facets with entity labels (like taxonomy terms) are affected, and only if some of those entities are unpublished or have other access restrictions.
CVSS risk score (experimental) 6.9 / Medium
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Solution:
Install the latest version:
- If you use the Facets module for Drupal 8.x or higher, upgrade to Facets 2.0.10 or Facets 3.0.1
Reported By:
- Damien McKenna (damienmckenna) of the Drupal Security Team
Fixed By:
- Benji Fisher (benjifisher) of the Drupal Security Team
- Joris Vercammen (borisson_)
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Thomas Seidl (drunken monkey)
- Jimmy Henderickx (strykaizer)
Coordinated By:
- Benji Fisher (benjifisher) of the Drupal Security Team
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Cathy Theys (yesct) of the Drupal Security Team
