The vulnerability is an instance of improper neutralization of input during web page generation, which allows malicious code to be embedded in rendered pages. The mechanism is a classic X‑SS flaw that can be exploited by injecting scripts into user‑controllable data without adequate escaping, matching CWE‑79. Based on the description, it is inferred that the flaw permits the injection of arbitrary JavaScript that will execute when a victim views the affected page.

Drupal core versions 11.3.0 through 11.3.6 (inclusive) are affected. Versions 11.3.7 and later contain the fix. No other Drupal products are listed as impacted by this advisory.

The advisory labels the issue as moderately critical, and the CVSS score of 6.1 indicates moderate severity; the EPSS score is 0.00029, indicating a very low probability of exploitation; the vulnerability is not present in CISA’s KEV list. The attack surface is remote and web-based; an attacker can craft payloads via any interface that accepts user-input and fails to escape it. An attacker who controls the input can influence a victim’s browser to run arbitrary JavaScript, potentially leading to session hijacking, phishing, or defacement. The exploitation requires only web access and does not necessitate privileged credentials. While the very low EPSS score suggests no widespread exploitation has been observed yet, the presence of the flaw in Drupal’s core code and the widespread deployment of Drupal means that public sites remain attractive targets.