Description
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).

This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
Published: 2026-05-19
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an Improper Neutralization of Input During Web Page Generation (CWE‑79) that allows an attacker to inject arbitrary scripts into pages served by Drupal core. The injected script can steal user credentials, hijack sessions, or perform other malicious actions, leading to loss of confidentiality and integrity for unsuspecting end‑users and site owners.

Affected Systems

The flaw affects all supported Drupal core versions up to and including 8.x, 10.x, and 11.x. Specifically, any release before 10.5.9, before 10.6.7, before 11.2.11, or before 11.3.7 is vulnerable.

Risk and Exploitability

The vulnerability has an EPSS score of < 1%, indicating a very low but non‑zero exploitation probability, and a CVSS score of 6.1 (medium severity). It is not listed in CISA KEV, but its severity stems from its ability to inject arbitrary scripts into pages served by Drupal core. Attackers can exploit it by crafting malicious input that is rendered unescaped in Drupal pages; no special conditions beyond standard web interaction are required.

Generated by OpenCVE AI on May 20, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Drupal core release that includes the fix (at least 10.5.9, 10.6.7, 11.2.11, or 11.3.7).
  • Audit and sanitize any custom modules or third‑party code that renders user input to ensure proper escaping practices.
  • Configure a strict Content Security Policy on the web server to restrict the execution of injected scripts.

Generated by OpenCVE AI on May 20, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-core-2026-001 cve-icon cve-icon
History

Wed, 20 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 19 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal drupal Core
Vendors & Products Drupal
Drupal drupal Core

Tue, 19 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
Title Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001
Weaknesses CWE-79
References

Subscriptions

Drupal Drupal Core
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-05-20T13:35:14.190Z

Reserved: 2026-04-15T14:39:26.232Z

Link: CVE-2026-6365

cve-icon Vulnrichment

Updated: 2026-05-20T13:35:10.229Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-19T23:16:58.103

Modified: 2026-05-20T14:17:03.353

Link: CVE-2026-6365

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T15:30:33Z

Weaknesses