CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003

criticalCVE-2026-6367
Project: Drupal core Date: 2026-April-15 Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Cross-site scripting Affected versions: >= 11.3.0 < 11.3.7 CVE IDs: CVE-2026-6367 Description: Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5. The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user. Solution: Install the latest version: If you use Drupal 11.3.x, update to Drupal 11.3.7 Drupal versions below 11.3 are not affected by this vulnerability Reported By: cantina_security Dries Buytaert (dries) Dmitrijs Trizna (dtrizna) Shirsendu Mondal Fixed By: Lee Rowlands (larowlan) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team Mingsong (mingsong) , provisional member of the Drupal Security Team Coordinated By: Damien McKenna (damienmckenna) of the Drupal Security Team Greg Knaddison (greggles) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Juraj Nemec (poker10) of the Drupal Security Team Jess (xjm) of the Drupal Security Team

CSIRTS triage

What
This vulnerability allows for stored cross-site scripting attacks due to insufficient sanitization.
Who is affected
Users of Drupal versions 11.3.0 to 11.3.6 are affected.
Urgency
Remediation is critical due to the potential for exploitation.
Action
Update to Drupal 11.3.7 to mitigate this vulnerability.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch Drupal core

Get an email when a new Drupal core advisory drops — max one per day, one-click unsubscribe.

Details

Source
Drupal Security Advisories (INTL · vendor-psirt · site)
Severity
critical
Published
2026-04-15
Exploitation
Not in CISA KEV at last sync

Original advisory: https://www.drupal.org/sa-core-2026-003

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-6367coverage & exploitation statusNVD · CVE.org

Recent advisories for Drupal core -

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from Drupal Security Advisories