The vulnerability is an instance of improper neutralization of input during web page generation, which allows malicious code to be embedded in rendered pages. The mechanism is a classic X‑SS flaw that can be exploited by injecting scripts into user‑controllable data without adequate escaping, matching CWE‑79. Based on the description, it is inferred that the flaw permits the injection of arbitrary JavaScript that will execute when a victim views the affected page.

Drupal core versions 11.3.0 through 11.3.6 (inclusive) are affected. Versions 11.3.7 and later contain the fix. No other Drupal products are listed as impacted by this advisory.

The advisory labels the issue as moderately critical, but no CVSS score is provided and the EPSS value is not available; the vulnerability is not present in CISA’s KEV list. The attack surface is remote and web‑based; an attacker can craft payloads via any interface that accepts user input and fails to escape it. An attacker who controls the input can influence a victim’s browser to run arbitrary JavaScript, potentially leading to session hijacking, phishing, or defacement. The exploitation requires only web access and does not necessitate privileged credentials. While the lack of an EPSS score suggests no widespread exploitation has been observed yet, the presence of the flaw in Drupal’s core code and the widespread deployment of Drupal means that public sites remain attractive targets.