CVE-2026-6367
published 2026-05-19CVE-2026-6367: Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS)…
PriorityP426medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.20%
10.1th percentile
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).
This issue affects Drupal core: from 11.3.0 before 11.3.7.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 11.3.0 < 11.3.7 | 11.3.7 |
| drupal | drupal | >= 11.3.0 < 11.3.7 | 11.3.7 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 11.3.0 < 11.3.7 | 11.3.7 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Drupal
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003
vendor_drupal·2026-04-15
CVE-2026-6367 [MEDIUM] Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003
Title: Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003
Vulnerability Type: Cross-site scripting
Description: Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5. The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user.
Solution: Install the latest version: If you use Drupal 11.3.x, update to Drupal 11.3.7 Drupal versions below 11.3 are not affected by this vulnerability
GHSA
Drupal core allows Cross-Site Scripting (XSS)
ghsa·2026-05-20
CVE-2026-6367 [MEDIUM] CWE-79 Drupal core allows Cross-Site Scripting (XSS)
Drupal core allows Cross-Site Scripting (XSS)
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).
This issue affects Drupal core: from 11.3.0 before 11.3.7.
GHSA
GHSA-pw6f-3999-xp7g: Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (
ghsa_unreviewed·2026-05-20
CVE-2026-6367 [MEDIUM] CWE-79 GHSA-pw6f-3999-xp7g: Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).
This issue affects Drupal core: from 11.3.0 before 11.3.7.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-19
Published