CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-6367

criticalcovered by 1 sourcefirst seen 2026-04-15
Project: Drupal core Date: 2026-April-15 Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Cross-site scripting Affected versions: >= 11.3.0 < 11.3.7 CVE IDs: CVE-2026-6367 Description: Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5. The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user. Solution: Install the latest version: If you use Drupal 11.3.x, update to Drupal 11.3.7 Drupal versions below 11.3 are not affected by this vulnerability Reported By: cantina_security Dries Buytaert (dries) Dmitrijs Trizna (dtrizna) Shirsendu Mondal Fixed By: Lee Rowlands (larowlan) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team Mingsong (mingsong) , provisional member of the Drupal Security Team Coordinated By: Damien McKenna (damienmckenna) of the Drupal Security Team Greg Knaddison (greggles) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Juraj Nemec (poker10) of the Drupal Security Team Jess (xjm) of the Drupal Security Team

CSIRTS triage

What
This vulnerability allows for stored cross-site scripting attacks due to insufficient sanitization.
Who is affected
Users of Drupal versions 11.3.0 to 11.3.6 are affected.
Urgency
Remediation is critical due to the potential for exploitation.
Action
Update to Drupal 11.3.7 to mitigate this vulnerability.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-6367

Get an email if CVE-2026-6367 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-6367

CVE.org record

Embed the live status

CVE-2026-6367 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-6367 status](https://www.csirts.com/badge/CVE-2026-6367)](https://www.csirts.com/cve/CVE-2026-6367)