CVE-2026-6367
Discovered by AISLEPUBLISHEDCWE-79
Description
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7.
CVSS Base Scores
CVSS v3.1(Primary)
6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products
| Vendor | Product | Version | Status |
|---|---|---|---|
| Drupal | Drupal core | 11.3.0 | affected |
Credits
- cantina_security(finder)
- Dries Buytaert (dries)(finder)
- Shirsendu Mondal(finder)
- Lee Rowlands (larowlan)(remediation developer)
- Drew Webber (mcdruid)(remediation developer)
- Mingsong (mingsong)(remediation developer)
- Damien McKenna (damienmckenna)(coordinator)
- Greg Knaddison (greggles)(coordinator)
- Lee Rowlands (larowlan)(coordinator)
- Juraj Nemec (poker10)(coordinator)
- Jess (xjm)(coordinator)
- Dmitrijs Trizna (dtrizna)(finder)