CVE-2025-9549

Description

This module enables you to to easily create and manage faceted search interfaces. The module doesn't sufficiently check access to entities when they are displayed as facets. This vulnerability is mitigated by the fact that only sites that show facets with entity labels (like taxonomy terms) are affected, and only if some of those entities are unpublished or have other access restrictions. **CVSS risk score ([experimental](https://www.drupal.org/project/securitydrupalorg/issues/3442181)) 6.9 / Medium** [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N)

How to fix CVE-2025-9549

To remediate CVE-2025-9549, upgrade the affected package to a fixed version below.

• —upgrade to 2.0.10 or later

Is CVE-2025-9549 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.0.10 | >= 3.0.0, < 3.0.1

References (1)

• WEBwww.drupal.org/sa-contrib-2025-099