Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001 - Security-news

15 Apr 2026


      View online: https://www.drupal.org/sa-core-2026-001
Project: Drupal core [1]
Date: 2026-April-15
Security risk: *Critical* 15 ∕ 25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross-site scripting
Affected versions: >= 8.0.0 < 10.5.9 || >= 10.6.0 < 10.6.7 || >= 11.0.0 <
11.2.11 || >= 11.3.0 < 11.3.7
CVE IDs: CVE-2026-6365
Description: 
Drupal core's jQuery integration for AJAX modal dialog boxes does not
sufficiently sanitize certain options, which which can lead to a cross-site
scripting (XSS) vulnerability.
Solution: 
Install the latest version:
* If you use Drupal 10.5.x, update to Drupal 10.5.9 [3].
  * If you use Drupal 10.6.x, update to Drupal 10.6.7 [4].
  * If you use Drupal 11.2.x, update to Drupal 11.2.11 [5].
  * If you use Drupal 11.3.x, update to Drupal 11.3.7 [6].
Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do
not receive security coverage. (Drupal 8 [7] and Drupal 9 [8] have both
reached end-of-life.)
Reported By: 
  * Murat Kekiç (murat_kekic) [9]
Fixed By: 
  * Anna Kalata (akalata) [10] of the Drupal Security Team
  * Benji Fisher (benjifisher) [11] of the Drupal Security Team
  * Neil Drumm (drumm) [12] of the Drupal Security Team
  * Lee Rowlands (larowlan) [13] of the Drupal Security Team
  * Michael Hess (mlhess) [14] of the Drupal Security Team
  * James Gilliland (neclimdul) [15] of the Drupal Security Team
  * Joseph Zhao (pandaski) [16] of the Drupal Security Team
  * Juraj Nemec (poker10) [17] of the Drupal Security Team
  * Ra Mänd (ram4nd) [18], provisional member of the Drupal Security Team
  * Jess  (xjm) [19] of the Drupal Security Team
Coordinated By: 
  * Greg Knaddison (greggles) [20] of the Drupal Security Team
  * Lee Rowlands (larowlan) [21] of the Drupal Security Team
  * Pierre Rudloff (prudloff) [22] of the Drupal Security Team
  * Jess  (xjm) [23] of the Drupal Security Team
Security
issue: https://git.drupalcode.org/security/11-drupal-security/-/issues/1
[24]
------------------------------------------------------------------------------
Contribution record [25]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/10.5.9
[4] https://www.drupal.org/project/drupal/releases/10.6.7
[5] https://www.drupal.org/project/drupal/releases/11.2.11
[6] https://www.drupal.org/project/drupal/releases/11.3.7
[7] https://www.drupal.org/psa-2021-06-29
[8] https://www.drupal.org/psa-2023-11-01
[9] https://www.drupal.org/u/murat_kekic
[10] https://www.drupal.org/u/akalata
[11] https://www.drupal.org/u/benjifisher
[12] https://www.drupal.org/u/drumm
[13] https://www.drupal.org/u/larowlan
[14] https://www.drupal.org/u/mlhess
[15] https://www.drupal.org/u/neclimdul
[16] https://www.drupal.org/u/pandaski
[17] https://www.drupal.org/u/poker10
[18] https://www.drupal.org/u/ram4nd
[19] https://www.drupal.org/u/xjm
[20] https://www.drupal.org/u/greggles
[21] https://www.drupal.org/u/larowlan
[22] https://www.drupal.org/u/prudloff
[23] https://www.drupal.org/u/xjm
[24] https://git.drupalcode.org/security/11-drupal-security/-/issues/1
[25]  
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....