CVE-2026-6367
Project: Drupal core Date: 2026-April-15 Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Cross-site scripting Affected versions: >= 11.3.0 < 11.3.7 CVE IDs: CVE-2026-6367 Description: Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5. The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user. Solution: Install the latest version: If you use Drupal 11.3.x, update to Drupal 11.3.7 Drupal versions below 11.3 are not affected by this vulnerability Reported By: cantina_security Dries Buytaert (dries) Dmitrijs Trizna (dtrizna) Shirsendu Mondal Fixed By: Lee Rowlands (larowlan) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team Mingsong (mingsong) , provisional member of the Drupal Security Team Coordinated By: Damien McKenna (damienmckenna) of the Drupal Security Team Greg Knaddison (greggles) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Juraj Nemec (poker10) of the Drupal Security Team Jess (xjm) of the Drupal Security Team
CSIRTS triage
- What
- This vulnerability allows for stored cross-site scripting attacks due to insufficient sanitization.
- Who is affected
- Users of Drupal versions 11.3.0 to 11.3.6 are affected.
- Urgency
- Remediation is critical due to the potential for exploitation.
- Action
- Update to Drupal 11.3.7 to mitigate this vulnerability.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2026-6367
Get an email if CVE-2026-6367 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.20% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 10% of all EPSS-scored CVEs.
Advisory coverage (1)
- criticalDrupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003drupal · 2026-04-15
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-6367)