PatchSiren cyber security CVE debrief
CVE-2025-71310 BackdropCMS CVE debrief
A stored Cross-Site Scripting (XSS) vulnerability exists in the GDPR Cookies module for Backdrop CMS versions prior to 1.x-1.3.5. The flaw resides in the 'Info content' field for the YouTube service configuration, which fails to adequately sanitize user input. Successful exploitation requires an attacker to possess elevated privileges—specifically the 'Create a GDPR Cookies Service' or 'Edit any GDPR Cookies Service' permissions—and for the target site to have configured a YouTube service. The vulnerability was disclosed on 26 May 2026 and carries a LOW severity CVSS 4.0 score of 1.8, reflecting the high attack complexity and restricted attack surface. No known exploitation in the wild has been reported, and the issue is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- BackdropCMS
- Product
- GDPR cookies module for Backdrop CMS
- CVSS
- LOW 1.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Backdrop CMS site administrators, security teams managing GDPR compliance implementations, and organizations using the GDPR Cookies module with YouTube service integration.
Technical summary
The GDPR Cookies module for Backdrop CMS fails to properly sanitize the 'Info content' field when configuring YouTube services, allowing stored XSS. Attack vector requires authenticated access with specific administrative permissions. CVSS 4.0 score 1.8 (LOW) reflects AV:N/AC:H/AT:P/PR:H/UI:A conditions. Fixed in version 1.x-1.3.5.
Defensive priority
low
Recommended defensive actions
- Upgrade Backdrop CMS GDPR Cookies module to version 1.x-1.3.5 or later
- Review user roles and restrict 'Create a GDPR Cookies Service' and 'Edit any GDPR Cookies Service' permissions to trusted administrators only
- Audit existing YouTube service configurations for suspicious content in the 'Info content' field
- Implement Content Security Policy headers to mitigate impact of any undiscovered XSS vectors
- Enable input validation and output encoding for all user-supplied content in administrative interfaces
Evidence notes
Official advisory confirms stored XSS in GDPR Cookies module 'Info content' field for YouTube service configuration. CVSS 4.0 vector indicates network attack vector with high attack complexity, privileged access required, and user interaction necessary. CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) identified as primary weakness.
Official resources
-
CVE-2025-71310 CVE record
CVE.org
-
CVE-2025-71310 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Disclosed 26 May 2026 via NVD with official advisory from Backdrop CMS security team.