CVE-2026-55808
Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009
CVSS Score
5.4
EPSS Score
0.1%
EPSS Percentile
5th
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
| CWE | CWE-79 |
| Vendor | drupal |
| Product | drupal core |
| Ecosystems | |
| Industries | WebMedia |
| Published | Jul 10, 2026 |
| Last Updated | Jul 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for drupal drupal core
Be the first to know when new medium vulnerabilities affecting drupal drupal core are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
Affected Versions
Drupal / Drupal core
0.0.0 < 10.5.12 10.6.0 < 10.6.11 11.2.0 < 11.2.14 11.3.0 < 11.3.12 0.0.0 < 11.0.* 0.0.0 < 11.1.*
Credits
cantina_security BjΓΒΆrn Brala (bbrala) Kim Pepper (kim.pepper) Lee Rowlands (larowlan) Damien McKenna (damienmckenna) Greg Knaddison (greggles) Lee Rowlands (larowlan) Dave Long (longwave) Juraj Nemec (poker10) Jess (xjm)