CVE-2026-6365
published 2026-05-19CVE-2026-6365: Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS)…
PriorityP426medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.24%
14.8th percentile
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).
This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 10.6.0 < 10.6.7 | 10.6.7 |
| drupal | core | >= 11.0.0 < 11.2.11 | 11.2.11 |
| drupal | core | >= 11.3.0 < 11.3.7 | 11.3.7 |
| drupal | core | >= 8.0.0 < 10.5.9 | 10.5.9 |
| drupal | drupal | >= 10.6.0 < 10.6.7 | 10.6.7 |
| drupal | drupal | >= 11.0.0 < 11.2.11 | 11.2.11 |
| drupal | drupal | >= 11.3.0 < 11.3.7 | 11.3.7 |
| drupal | drupal | >= 8.0.0 < 10.5.9 | 10.5.9 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 10.6.0 < 10.6.7 | 10.6.7 |
| drupal | drupal_core | >= 11.0.0 < 11.2.11 | 11.2.11 |
| drupal | drupal_core | >= 11.3.0 < 11.3.7 | 11.3.7 |
| drupal | drupal_core | >= 8.0.0 < 10.5.9 | 10.5.9 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Drupal core is Vulnerable to Cross-Site Scripting
ghsa·2026-05-20
CVE-2026-6365 [MEDIUM] CWE-79 Drupal core is Vulnerable to Cross-Site Scripting
Drupal core is Vulnerable to Cross-Site Scripting
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).
This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
GHSA
GHSA-f3cj-mjqm-fhvj: Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (
ghsa_unreviewed·2026-05-20
CVE-2026-6365 [MEDIUM] CWE-79 GHSA-f3cj-mjqm-fhvj: Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).
This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
Drupal
Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001
vendor_drupal·2026-04-15
CVE-2026-6365 [HIGH] Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001
Title: Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001
Vulnerability Type: Cross-site scripting
Description: Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting (XSS) vulnerability.
Solution: Install the latest version: If you use Drupal 10.5.x, update to Drupal 10.5.9 . If you use Drupal 10.6.x, update to Drupal 10.6.7 . If you use Drupal 11.2.x, update to Drupal 11.2.11 . If you use Drupal 11.3.x, update to Drupal 11.3.7 . Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-19
Published