PatchSiren cyber security CVE debrief
CVE-2025-11570 drupal-pattern-lab CVE debrief
CVE-2025-11570 describes a cross-site scripting issue in drupal-pattern-lab/unified-twig-extensions stemming from insufficient filtering of data. The issue is described as exploitable only when the shared code runs outside Drupal, which materially narrows practical exposure. The package is also described as unmaintained, and the supplied record points to a fix in drupal/unified_twig_ext 1.1.1.
- Vendor
- drupal-pattern-lab
- Product
- unified-twig-extensions
- CVSS
- LOW 1.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-10-10
- Original CVE updated
- 2026-04-29
- Advisory published
- 2025-10-10
- Advisory updated
- 2026-04-29
Who should care
Teams using drupal-pattern-lab/unified-twig-extensions, any downstream forks, and integrators that execute the shared Twig extension code outside Drupal. Security teams should pay attention if the package is present in production, especially in environments that render user-controlled content in Pattern Lab or other non-Drupal contexts.
Technical summary
The advisory describes an XSS condition caused by insufficient filtering in versions of drupal-pattern-lab/unified-twig-extensions from 0.0.0. NVD maps the weakness to CWE-79 and assigns a CVSS v4.0 base score of 1.9 (LOW). The supplied notes also state that exploitation is only possible if the code is executed outside of Drupal, because the function is intended to be shared between Drupal and Pattern Lab. The package is described as unmaintained, and the referenced fix exists in drupal/unified_twig_ext 1.1.1.
Defensive priority
Low, but actionable if the package is in use. The severity score is low and exploitability is constrained by execution context, yet the package is unmaintained and a maintained replacement/fix is identified.
Recommended defensive actions
- Inventory all uses of drupal-pattern-lab/unified-twig-extensions and confirm whether any deployment executes the shared Twig function outside Drupal.
- If the package is in use, migrate to drupal/unified_twig_ext 1.1.1 or a later maintained release path referenced by the advisory.
- Review any templates or integrations that pass user-controlled data into the affected function and ensure output encoding/filtering is enforced before rendering.
- If immediate migration is not possible, minimize exposure by restricting non-Drupal execution paths and treating the affected output as untrusted until replaced.
Evidence notes
The CVE description says versions from 0.0.0 are vulnerable to XSS due to insufficient filtering, and that exploitation is only possible outside Drupal. NVD metadata lists CWE-79, a CVSS v4.0 base score of 1.9, and status Deferred. The source references include a code location in the package, a Snyk advisory, and a Drupal security advisory, all cited in the supplied record. The CVE was published on 2025-10-10 and later modified on 2026-04-29.
Official resources
Publicly disclosed on 2025-10-10 and later modified in the record on 2026-04-29. NVD currently lists the vulnerability status as Deferred.