CVE-2025-11570: 
PHP vulnerability analysis and mitigation

CVE-2025-11570 affects the drupal-pattern-lab/unified-twig-extensions package, specifically versions from 0.0.0 onwards. The vulnerability was discovered on November 4, 2024, and publicly disclosed on December 9, 2024. This security issue involves a Cross-site Scripting (XSS) vulnerability due to insufficient filtering of data in the package (Snyk).

The vulnerability is classified as a Cross-site Scripting (XSS) issue with a CVSS v4.0 base score of 4.8 (Medium) and CVSS v3.1 base score of 4.6 (Medium). The vulnerability is tracked as CWE-79 (Improper Neutralization of Input During Web Page Generation). The technical assessment indicates that the vulnerability requires low-level privileges and active user interaction, with the attack vector being network-accessible (NVD).

The vulnerability has limited impact on both confidentiality and integrity, with no impact on availability. It's important to note that this vulnerability is only exploitable when the code is executed outside of Drupal, as the affected function is intended to be shared between Drupal and Pattern Lab (Snyk).

The package drupal-pattern-lab/unified-twig-extensions is currently unmaintained. The fix for this vulnerability exists in version 1.1.1 of drupal/unifiedtwigext. Users are advised to migrate to the maintained package version (NVD).