CVE-2026-6367
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003
CVSS Score
6.1
EPSS Score
0.2%
EPSS Percentile
10th
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7.
| CWE | CWE-79 |
| Vendor | drupal |
| Product | drupal core |
| Ecosystems | |
| Industries | WebMedia |
| Published | May 19, 2026 |
| Last Updated | Jun 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for drupal drupal core
Be the first to know when new medium vulnerabilities affecting drupal drupal core are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Drupal / Drupal core
11.3.0 < 11.3.7
Credits
cantina_security Dries Buytaert (dries) Shirsendu Mondal Lee Rowlands (larowlan) Drew Webber (mcdruid) Mingsong (mingsong) Damien McKenna (damienmckenna) Greg Knaddison (greggles) Lee Rowlands (larowlan) Juraj Nemec (poker10) Jess (xjm) Dmitrijs Trizna (dtrizna)