View online: https://www.drupal.org/sa-core-2026-001 Project: Drupal core [1] Date: 2026-April-15 Security risk: *Critical* 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross-site scripting Affected versions: >= 8.0.0 < 10.5.9 || >= 10.6.0 < 10.6.7 || >= 11.0.0 < 11.2.11 || >= 11.3.0 < 11.3.7 CVE IDs: CVE-2026-6365 Description:  Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting (XSS) vulnerability. Solution:  Install the latest version: * If you use Drupal 10.5.x, update to Drupal 10.5.9 [3]. * If you use Drupal 10.6.x, update to Drupal 10.6.7 [4]. * If you use Drupal 11.2.x, update to Drupal 11.2.11 [5]. * If you use Drupal 11.3.x, update to Drupal 11.3.7 [6]. Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 [7] and Drupal 9 [8] have both reached end-of-life.) Reported By:  * Murat Kekiç (murat_kekic) [9] Fixed By:  * Anna Kalata (akalata) [10] of the Drupal Security Team * Benji Fisher (benjifisher) [11] of the Drupal Security Team * Neil Drumm (drumm) [12] of the Drupal Security Team * Lee Rowlands (larowlan) [13] of the Drupal Security Team * Michael Hess (mlhess) [14] of the Drupal Security Team * James Gilliland (neclimdul) [15] of the Drupal Security Team * Joseph Zhao (pandaski) [16] of the Drupal Security Team * Juraj Nemec (poker10) [17] of the Drupal Security Team * Ra Mänd (ram4nd) [18], provisional member of the Drupal Security Team * Jess (xjm) [19] of the Drupal Security Team Coordinated By:  * Greg Knaddison (greggles) [20] of the Drupal Security Team * Lee Rowlands (larowlan) [21] of the Drupal Security Team * Pierre Rudloff (prudloff) [22] of the Drupal Security Team * Jess (xjm) [23] of the Drupal Security Team Security issue: https://git.drupalcode.org/security/11-drupal-security/-/issues/1 [24] ------------------------------------------------------------------------------ Contribution record [25] [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/releases/10.5.9 [4] https://www.drupal.org/project/drupal/releases/10.6.7 [5] https://www.drupal.org/project/drupal/releases/11.2.11 [6] https://www.drupal.org/project/drupal/releases/11.3.7 [7] https://www.drupal.org/psa-2021-06-29 [8] https://www.drupal.org/psa-2023-11-01 [9] https://www.drupal.org/u/murat_kekic [10] https://www.drupal.org/u/akalata [11] https://www.drupal.org/u/benjifisher [12] https://www.drupal.org/u/drumm [13] https://www.drupal.org/u/larowlan [14] https://www.drupal.org/u/mlhess [15] https://www.drupal.org/u/neclimdul [16] https://www.drupal.org/u/pandaski [17] https://www.drupal.org/u/poker10 [18] https://www.drupal.org/u/ram4nd [19] https://www.drupal.org/u/xjm [20] https://www.drupal.org/u/greggles [21] https://www.drupal.org/u/larowlan [22] https://www.drupal.org/u/prudloff [23] https://www.drupal.org/u/xjm [24] https://git.drupalcode.org/security/11-drupal-security/-/issues/1 [25] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....