CVE-2025-48447 is a high-severity Cross-Site Scripting (XSS) vulnerability identified in the Drupal Lightgallery module, affecting versions from 0.0.0 up to but not including 1.6.0. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. Specifically, this flaw allows an attacker with at least low privileges (PR:L) to inject malicious scripts into web pages generated by the Lightgallery module without requiring any user interaction (UI:N). The vulnerability is remotely exploitable over the network (AV:N) with low attack complexity (AC:L), and it does not impact confidentiality but can affect integrity and availability. The CVSS v3.1 base score is 7.1, reflecting the potential for attackers to execute arbitrary scripts that could alter the content or behavior of web pages, potentially leading to defacement, session hijacking, or denial of service. The scope remains unchanged (S:U), meaning the vulnerability affects only the vulnerable component without impacting other system components. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved on May 21, 2025, and published on June 11, 2025.

For European organizations using Drupal with the Lightgallery module, this vulnerability poses a significant risk. Exploitation could allow attackers to inject malicious scripts that compromise the integrity of web content, potentially leading to unauthorized actions on behalf of users, defacement of public-facing websites, or disruption of services. Since Drupal is widely used across various sectors including government, education, and private enterprises in Europe, the impact could be broad. Attackers might leverage this vulnerability to target sensitive web portals, leading to reputational damage, loss of user trust, and potential regulatory penalties under GDPR if personal data is indirectly affected. The lack of required user interaction increases the risk of automated exploitation, potentially affecting many users visiting vulnerable sites. The vulnerability's requirement for low privileges means that even compromised or less-privileged accounts could be leveraged to escalate attacks, increasing the threat surface.

European organizations should immediately audit their Drupal installations to identify the use of the Lightgallery module and verify the version in use. Until an official patch is released, organizations should consider disabling or removing the Lightgallery module if it is not essential. For critical deployments, implementing Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting Lightgallery can provide interim protection. Additionally, applying strict Content Security Policies (CSP) to restrict script execution sources can mitigate the impact of injected scripts. Organizations should also enforce the principle of least privilege for user accounts to limit the potential for exploitation by low-privilege users. Monitoring web application logs for unusual input patterns or script injections related to Lightgallery endpoints is recommended to detect attempted exploitation. Once patches become available, prompt application of updates is critical. Finally, educating developers and administrators about secure coding and input validation practices will help prevent similar vulnerabilities.