Drupal Core Releases Fix Three Moderately Critical Security Issues
New Drupal core releases fix three security issues, all rated moderately critical: two cross-site scripting vulnerabilities and one information disclosure vulnerability. The Drupal Security Team published the advisories on 15 July 2026, with fixes included in Drupal 11.4.4, Drupal 11.3.14, and Drupal 10.6.13.
Exposure differs across the three vulnerabilities because each depends on a specific permission, editing workflow, or file configuration. All three advisories classify exploitation as theoretical, but the release notes urge supported sites to update immediately. Two of the advisories also describe hardening that may require attention from contributed-module maintainers.
SA-CORE-2026-012, tracked as CVE-2026-55805, addresses insufficient sanitisation of block labels in the Layout Builder editing interface. The weakness can result in cross-site scripting in certain scenarios. The advisory says both the attacker and the targeted user must be using the Layout Builder editing interface, narrowing practical exposure.
SA-CORE-2026-011, tracked as CVE-2026-15917, concerns HTMX attributes that Drupal core’s cross-site scripting filter does not sufficiently sanitise. Drupal core 11.2 and later integrate the HTMX JavaScript library, and exploitation requires an attacker to be able to insert HTML containing specific attributes. Drupal 10 core is not affected, but Drupal 10.6.13 includes hardening because certain contributed modules may process the affected attributes.
SA-CORE-2026-010, tracked as CVE-2026-15916, concerns access checks for image-style derivatives served through a file stream other than private://. The issue applies when Drupal uses a contributed file scheme to serve private derived images, making it dependent on a less common configuration. The Drupal Security Team describes the fix as hardening and says contributed modules implementing custom stream wrappers may need similar protections.
The HTMX advisory has the highest risk score of the three at 14 out of 25. The Layout Builder advisory scores 13, while the image-access advisory scores 10. These scores do not indicate active exploitation because all three advisories list the exploit status as theoretical.
Sites on Drupal 11.4.x should update to Drupal 11.4.4, sites on Drupal 11.3.x should update to Drupal 11.3.14, and sites on Drupal 10.6.x should update to Drupal 10.6.13. Drupal 11.2.x and earlier and Drupal 10.5.x and earlier have reached end of life and do not receive security coverage. Sites on those branches must move to a supported minor release rather than wait for a patch to their current branch.
