CVE-2025-6674 is a Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the Drupal CKEditor5 Youtube plugin versions prior to 1.0.3, specifically from version 0.0.0 before 1.0.3. The vulnerability arises due to improper neutralization of input during web page generation, allowing malicious actors to inject and execute arbitrary scripts within the context of a vulnerable web application. CKEditor5 Youtube is a plugin integrated into Drupal content management systems to facilitate embedding YouTube videos using the CKEditor5 framework. The flaw enables attackers to craft specially crafted input that is not properly sanitized or escaped before being rendered in the browser, leading to script execution. This can result in session hijacking, defacement, redirection to malicious sites, or theft of sensitive user data. Although no known exploits are currently reported in the wild, the vulnerability is publicly disclosed and can be targeted by attackers once exploit code becomes available. The absence of a CVSS score indicates that the vulnerability has not yet been fully assessed for severity, but the nature of XSS vulnerabilities in widely used CMS plugins suggests a significant risk. The vulnerability affects all installations using the vulnerable versions of the CKEditor5 Youtube plugin, which is commonly used in Drupal-based websites for rich media content management.

For European organizations, this vulnerability poses a considerable risk, especially for those relying on Drupal CMS with the CKEditor5 Youtube plugin to manage web content. Successful exploitation could lead to unauthorized script execution in users' browsers, potentially compromising user credentials, session tokens, or delivering malware. This can damage organizational reputation, lead to data breaches involving personal data protected under GDPR, and disrupt business operations. Public-facing websites, e-commerce platforms, government portals, and educational institutions using the affected plugin are particularly vulnerable. The impact extends to loss of user trust and potential regulatory penalties if personal data is compromised. Given the widespread use of Drupal in Europe, including in public sector and enterprise environments, the threat is significant. The lack of known exploits currently provides a window for proactive mitigation before widespread attacks occur.

Organizations should immediately audit their Drupal installations to identify the presence and version of the CKEditor5 Youtube plugin. Upgrading to version 1.0.3 or later, once available, is critical to remediate the vulnerability. In the interim, disabling or removing the CKEditor5 Youtube plugin can mitigate risk. Implementing Content Security Policy (CSP) headers can reduce the impact of XSS by restricting script execution sources. Additionally, applying strict input validation and output encoding on all user-supplied content, especially embedded media URLs, is essential. Web Application Firewalls (WAFs) with rules targeting XSS payloads can provide temporary protection. Regular security scanning and monitoring for anomalous activities related to script injection attempts should be established. Finally, educating developers and content managers on secure content embedding practices will help prevent similar vulnerabilities.