CVE-2025-48922 is a Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the Drupal GLightbox component versions from 0.0.0 up to but not including 1.0.16. The vulnerability arises due to improper neutralization of input during web page generation, allowing malicious actors to inject and execute arbitrary scripts in the context of the affected web application. GLightbox is a popular JavaScript lightbox library integrated into Drupal sites for displaying images and other media in overlay windows. The flaw permits attackers to craft specially crafted input that is not properly sanitized or encoded before being rendered in the browser, leading to execution of malicious JavaScript code. This can result in session hijacking, defacement, redirection to malicious sites, or theft of sensitive information. Although no known exploits are currently reported in the wild, the vulnerability is publicly disclosed and affects all Drupal sites using vulnerable GLightbox versions. The lack of a CVSS score indicates the need for a severity assessment based on the nature of the vulnerability and its potential impact. The vulnerability does not require authentication or user interaction beyond visiting a maliciously crafted page or inputting malicious data, making exploitation relatively straightforward if the site is exposed. The vulnerability is particularly concerning for Drupal-based websites that rely on GLightbox for media display, as it could be leveraged to compromise site visitors or administrators.

For European organizations, this XSS vulnerability poses significant risks, especially for those operating public-facing Drupal websites that utilize GLightbox. Successful exploitation could lead to compromise of user sessions, enabling attackers to impersonate legitimate users, including administrators, potentially resulting in unauthorized access to sensitive data or administrative functions. It could also facilitate phishing attacks by injecting malicious content or redirecting users to fraudulent sites, undermining user trust and damaging organizational reputation. In sectors such as finance, healthcare, government, and e-commerce, where Drupal is commonly used, the impact could extend to regulatory non-compliance and financial losses due to data breaches or service disruption. Additionally, the vulnerability could be used as a foothold for further attacks within the organization’s network if attackers leverage stolen credentials or session tokens. The absence of known exploits currently provides a window for proactive mitigation, but the public disclosure increases the risk of future exploitation attempts.

Organizations should immediately identify all Drupal installations using GLightbox versions prior to 1.0.16. Since no patch links are provided, it is critical to monitor Drupal security advisories for the release of an official patch or update. In the interim, organizations can mitigate risk by implementing strict Content Security Policy (CSP) headers to restrict script execution and reduce the impact of XSS attacks. Input validation and output encoding should be enforced at the application level to sanitize user inputs and prevent injection of malicious scripts. Web Application Firewalls (WAFs) can be configured to detect and block common XSS attack patterns targeting GLightbox. Additionally, organizations should conduct thorough security testing, including automated scanning and manual code review, to identify and remediate any instances of unsanitized input rendering. User awareness training should emphasize caution with links and inputs on affected sites. Finally, organizations should prepare incident response plans to quickly address any exploitation attempts once patches become available.