Cross-Site Scripting Vulnerability in Drupal Core by Drupal
CVE-2026-6365

6.1MEDIUM

Key Information:

Vendor: Drupal
Status: Drupal Core
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-6365?

An improper neutralization of input during web page generation vulnerability exists in Drupal Core, enabling an attacker to execute arbitrary JavaScript code in the context of a user's session. This could lead to unauthorized actions being performed on behalf of users, data theft, or further exploitation of the web application. The issue affects multiple versions of the Drupal Core, emphasizing the need for immediate patching to safeguard against potential attacks.

Affected Version(s)

Drupal core 8.0.0 < 10.5.9

Drupal core 10.6.0 < 10.6.7

Drupal core 11.0.0 < 11.2.11

References

https://www.drupal.org/sa-core-2026-001

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Murat KekiÃ§ (murat_kekic)

Anna Kalata (akalata)

Benji Fisher (benjifisher)

Neil Drumm (drumm)

Lee Rowlands (larowlan)

Michael Hess (mlhess)

James Gilliland (neclimdul)

Joseph Zhao (pandaski)

Juraj Nemec (poker10)

Ra MÃ¤nd (ram4nd)

Jess (xjm)

Greg Knaddison (greggles)

Lee Rowlands (larowlan)

Pierre Rudloff (prudloff)

Jess (xjm)

CVE-2026-6365 Data

JSON