CVE-2025-13083: Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels

November 18, 2025 (updated November 19, 2025)

Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

References

github.com/advisories/GHSA-mhpg-hpj5-73r2
github.com/drupal/core
nvd.nist.gov/vuln/detail/CVE-2025-13083
www.drupal.org/sa-core-2025-008

Code Behaviors & Features

Detect and mitigate CVE-2025-13083 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →