View online: https://www.drupal.org/sa-contrib-2025-091

Project: Real-time SEO for Drupal [1] Date: 2025-July-16 Security risk: *Moderately critical* 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting

Affected versions: <2.2.0 CVE IDs: CVE-2025-7716 Description:  This module enables you to analyze the content that you're authoring for a website. It shows you a preview of what a search result might look like.

The module doesn't sufficiently escape the metadata from content while rendering the preview, opening up the possibility of a XSS attack.

This vulnerability is mitigated by the fact that an attacker must be able to author content that is analyzed by the Real-Time SEO module.

Solution:  Install the latest version:

* Upgrade to yoast_seo 8.x-2.2 [3].

Reported By:  * Pierre Rudloff (prudloff) [4], provisional member of the Drupal Security Team.

Fixed By:  * Alexander Varwijk (kingdutch) [5] * Pierre Rudloff (prudloff) [6], provisional member of the Drupal Security Team.

Coordinated By:  * Damien McKenna (damienmckenna) [7] of the Drupal Security Team * Greg Knaddison (greggles) [8] of the Drupal Security Team * Pierre Rudloff (prudloff), provisional member of the Drupal Security Team [9] * Jess (xjm) [10] of the Drupal Security Team

[1] https://www.drupal.org/project/yoast_seo [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/yoast_seo/releases/8.x-2.2 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/kingdutch [6] https://www.drupal.org/u/prudloff [7] https://www.drupal.org/u/damienmckenna [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/prudloff [10] https://www.drupal.org/u/xjm