Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-September-24
Vulnerability:
Cross Site Scripting
Affected versions:
<1.0.1
CVE IDs:
CVE-2025-10931
Description:
This module enables you to add Umami Analytics web statistics tracking system to your website.
The "administer umami analytics" permission allows inserting an arbitrary JavaScript file on every page. While this is an expected feature, the permission lacks the "restrict access" flag, which should alert administrators that this permission is potentially dangerous and can lead to cross-site scripting (XSS) vulnerabilities.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer umami analytics”.
Solution:
Install the latest version:
- If you use the Umami Analytics module upgrade to Umami Analytics 1.0.1 or 2.0.-beta3
Sites are encouraged to review which roles have that permission and which users have that role, to ensure that only trusted users have that permission.
Reported By:
Fixed By:
Coordinated By:
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Pierre Rudloff (prudloff) provisional member of Drupal Security Team
