CVE-2026-6367
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003
CVSS Score
6.1
EPSS Score
0.0%
EPSS Percentile
8th
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7.
| CWE | CWE-79 |
| Vendor | drupal |
| Product | drupal core |
| Ecosystems | |
| Industries | WebMedia |
| Published | May 19, 2026 |
| Last Updated | May 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for drupal drupal core
Be the first to know when new medium vulnerabilities affecting drupal drupal core are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Drupal / Drupal core
11.3.0 < 11.3.7
Credits
cantina_security Dries Buytaert (dries) Shirsendu Mondal Lee Rowlands (larowlan) Drew Webber (mcdruid) Mingsong (mingsong) Damien McKenna (damienmckenna) Greg Knaddison (greggles) Lee Rowlands (larowlan) Juraj Nemec (poker10) Jess (xjm)