CVE-2025-11570: 
PHP vulnerability analysis and mitigation

CVE-2025-11570 affects the package drupal-pattern-lab/unified-twig-extensions from version 0.0.0 onwards. This vulnerability was discovered on October 10, 2025, and is related to Cross-site Scripting (XSS) due to insufficient filtering of data. The vulnerability specifically affects the package when executed outside of Drupal, where the function is intended to be shared between Drupal and Pattern Lab (NVD, Snyk Advisory).

The vulnerability is classified as a Cross-site Scripting (XSS) issue with a CVSS v4.0 score of 4.8 (Medium) and CVSS v3.1 score of 4.6 (Medium). The vulnerability vector string for CVSS v4.0 is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P, indicating network accessibility with low attack complexity and requiring low privileges. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, Snyk Advisory).

The vulnerability allows for Cross-site Scripting attacks when the code is executed outside of Drupal environment. The impact is considered medium severity with limited effects on both confidentiality and integrity, while having no impact on availability. Snyk has confirmed the existence of a proof-of-concept exploit, with an EPSS probability of 0.03% (7th percentile) for exploitation in the wild (Snyk Advisory).

The package drupal-pattern-lab/unified-twig-extensions is currently unmaintained. The fix for this vulnerability exists in version 1.1.1 of drupal/unified_twig_ext. Users are advised to migrate to the maintained package version (NVD, Snyk Advisory).