Drupal Issues Three Core Security Advisories Including Critical XSS Vulnerability
Drupal has released three core security advisories on 15 April 2026, including a critical cross-site scripting vulnerability affecting multiple supported versions of the platform.
The advisories, identified as SA-CORE-2026-001, SA-CORE-2026-002, and SA-CORE-2026-003, include one critical and two moderately critical issues. They affect Drupal core versions from 8.0.0 across supported 10.x and 11.x branches, requiring coordinated updates across installations.
The most severe issue, tracked as CVE-2026-6365, is a critical cross-site scripting vulnerability in Drupal core’s jQuery integration for AJAX modal dialog boxes. The flaw arises from insufficient sanitisation of certain options and could allow attackers to execute malicious scripts in user sessions.
A second advisory, CVE-2026-6366, describes a moderately critical gadget chain vulnerability. The issue is not directly exploitable but could be used alongside another vulnerability, such as insecure deserialisation, to enable remote code execution or SQL injection. The advisory notes that no such exploit is currently known in Drupal core.
The third issue, CVE-2026-6367, affects Drupal 11.3.x and relates to CKEditor 5 integration. Entity suggestion features used when inserting links are not sufficiently sanitised, creating the possibility of stored cross-site scripting attacks triggered by malicious input.
All three vulnerabilities affect overlapping version ranges. Users running versions earlier than Drupal 10.5.9, 10.6.7, 11.2.11, and 11.3.7 are advised to update immediately to the corresponding patched releases.
Drupal has also reiterated that versions including Drupal 11.1.x, 11.0.x, 10.4.x, and earlier are end-of-life and no longer receive security coverage. Drupal 8 and Drupal 9 have also reached end-of-life status.
