CVE-2026-6365
Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001
CVSS Score
6.1
EPSS Score
0.0%
EPSS Percentile
8th
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
| CWE | CWE-79 |
| Vendor | drupal |
| Product | drupal core |
| Ecosystems | |
| Industries | WebMedia |
| Published | May 19, 2026 |
| Last Updated | May 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for drupal drupal core
Be the first to know when new medium vulnerabilities affecting drupal drupal core are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Drupal / Drupal core
8.0.0 < 10.5.9 10.6.0 < 10.6.7 11.0.0 < 11.2.11 11.3.0 < 11.3.7
Credits
Murat Kekiç (murat_kekic) Anna Kalata (akalata) Benji Fisher (benjifisher) Neil Drumm (drumm) Lee Rowlands (larowlan) Michael Hess (mlhess) James Gilliland (neclimdul) Joseph Zhao (pandaski) Juraj Nemec (poker10) Ra Mänd (ram4nd) Jess (xjm) Greg Knaddison (greggles) Lee Rowlands (larowlan) Pierre Rudloff (prudloff) Jess (xjm)