View online: https://www.drupal.org/sa-core-2026-003
Project: Drupal core [1] Date: 2026-April-15 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross-site scripting
Affected versions: >= 11.3.0 < 11.3.7 CVE IDs: CVE-2026-6367 Description: Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5.
The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user.
Solution: Install the latest version:
* If you use Drupal 11.3.x, update to Drupal 11.3.7 [3] * Drupal versions below 11.3 are not affected by this vulnerability
Reported By: * cantina_security [4] * Dries Buytaert (dries) [5] * Shirsendu Mondal [6]
Fixed By: * Lee Rowlands (larowlan) [7] of the Drupal Security Team * Drew Webber (mcdruid) [8] of the Drupal Security Team * Mingsong (mingsong) [9], provisional member of the Drupal Security Team
Coordinated By: * Damien McKenna (damienmckenna) [10] of the Drupal Security Team * Greg Knaddison (greggles) [11] of the Drupal Security Team * Lee Rowlands (larowlan) [12] of the Drupal Security Team * Juraj Nemec (poker10) [13] of the Drupal Security Team * Jess (xjm) [14] of the Drupal Security Team
Security issue: https://git.drupalcode.org/security/34-drupal-security/-/work_items/1 [15] ------------------------------------------------------------------------------ Contribution record [16]
[1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/releases/11.3.7 [4] https://www.drupal.org/u/cantina_security [5] https://www.drupal.org/u/dries [6] https://www.drupal.org/u/shirsendu-mondal [7] https://www.drupal.org/u/larowlan [8] https://www.drupal.org/u/mcdruid [9] https://www.drupal.org/u/mingsong [10] https://www.drupal.org/u/damienmckenna [11] https://www.drupal.org/u/greggles [12] https://www.drupal.org/u/larowlan [13] https://www.drupal.org/u/poker10 [14] https://www.drupal.org/u/xjm [15] https://git.drupalcode.org/security/34-drupal-security/-/work_items/1 [16] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....