CVE-2025-14556

Name of the Vulnerable Software and Affected Versions Drupal Flag versions 7.X-3.0 through 7.X-3.9

Description An issue exists in Drupal Flag that allows for Cross-Site Scripting (XSS). This occurs due to improper neutralization of input during web page generation. The vulnerability could allow an attacker to inject malicious scripts into web pages viewed by other users. The vulnerable component does not sanitize user-supplied input before including it in the generated web page, leading to potential execution of arbitrary JavaScript code in the context of the user's browser. The affected API endpoints and vulnerable parameters are not specified.

Recommendations Update Drupal Flag to a version beyond 7.X-3.9.