Drupal Issues Three Core Security Advisories Including Critical XSS Vulnerability

Drupal Issues Three Core Security Advisories Including Critical XSS Vulnerability

Drupal has released three core security advisories on 15 April 2026, including a critical cross-site scripting vulnerability affecting multiple supported versions of the platform.

The advisories, identified as SA-CORE-2026-001, SA-CORE-2026-002, and SA-CORE-2026-003, include one critical and two moderately critical issues. They affect Drupal core versions from 8.0.0 across supported 10.x and 11.x branches, requiring coordinated updates across installations.

The most severe issue, tracked as CVE-2026-6365, is a critical cross-site scripting vulnerability in Drupal core’s jQuery integration for AJAX modal dialog boxes. The flaw arises from insufficient sanitisation of certain options and could allow attackers to execute malicious scripts in user sessions.

A second advisory, CVE-2026-6366, describes a moderately critical gadget chain vulnerability. The issue is not directly exploitable but could be used alongside another vulnerability, such as insecure deserialisation, to enable remote code execution or SQL injection. The advisory notes that no such exploit is currently known in Drupal core.

The third issue, CVE-2026-6367, affects Drupal 11.3.x and relates to CKEditor 5 integration. Entity suggestion features used when inserting links are not sufficiently sanitised, creating the possibility of stored cross-site scripting attacks triggered by malicious input.

All three vulnerabilities affect overlapping version ranges. Users running versions earlier than Drupal 10.5.9, 10.6.7, 11.2.11, and 11.3.7 are advised to update immediately to the corresponding patched releases.

Drupal has also reiterated that versions including Drupal 11.1.x, 11.0.x, 10.4.x, and earlier are end-of-life and no longer receive security coverage. Drupal 8 and Drupal 9 have also reached end-of-life status.

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please reach out to us at #thedroptimes channel on Drupal Slack and we will try to address the issue as best we can.

Upcoming Events