CVE-2025-13947
BaseFortify
Publication date: 2025-12-03
Last updated on: 2026-04-20
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | enterprise_linux | 9 |
| redhat | enterprise_linux | 8 |
| webkitgtk | webkitgtk | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in WebKitGTK allows a remote attacker to trick a user into dragging and dropping files from their local system via a malicious webpage. Because WebKitGTK does not properly verify if drag operations originate from outside the browser, the attacker can gain access to any files the user is permitted to read, leading to unintended information disclosure. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can expose sensitive local files to a remote attacker when the user interacts with a malicious webpage. This can lead to unauthorized disclosure of personal or confidential information stored on the user's system. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update WebKitGTK to a version where this flaw is fixed. Avoid interacting with untrusted websites that may exploit the drag-and-drop mechanism. Additionally, consider restricting or monitoring drag-and-drop operations in browsers using WebKitGTK until a patch is applied. [1]