Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003 - Security-news

15 Apr 2026


      View online: https://www.drupal.org/sa-core-2026-003
Project: Drupal core [1]
Date: 2026-April-15
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross-site scripting
Affected versions: >= 11.3.0 < 11.3.7
CVE IDs: CVE-2026-6367
Description: 
Drupal 11.3 comes with support for completing entity suggestions whilst
adding a link to CKEditor 5.
The suggestions aren't sufficiently sanitized and a malicious user could
trigger a stored cross site scripting attack against another user.
Solution: 
Install the latest version:
* If you use Drupal 11.3.x, update to Drupal 11.3.7 [3]
  * Drupal versions below 11.3 are not affected by this vulnerability
Reported By: 
  * cantina_security [4]
  * Dries Buytaert (dries) [5]
  * Shirsendu Mondal [6]
Fixed By: 
  * Lee Rowlands (larowlan) [7] of the Drupal Security Team
  * Drew Webber (mcdruid) [8] of the Drupal Security Team
  * Mingsong  (mingsong) [9], provisional member of the Drupal Security Team
Coordinated By: 
  * Damien McKenna (damienmckenna) [10] of the Drupal Security Team
  * Greg Knaddison (greggles) [11] of the Drupal Security Team
  * Lee Rowlands (larowlan) [12] of the Drupal Security Team
  * Juraj Nemec (poker10) [13] of the Drupal Security Team
  * Jess  (xjm) [14] of the Drupal Security Team
Security
issue: https://git.drupalcode.org/security/34-drupal-security/-/work_items/1
[15]
------------------------------------------------------------------------------
Contribution record [16]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/11.3.7
[4] https://www.drupal.org/u/cantina_security
[5] https://www.drupal.org/u/dries
[6] https://www.drupal.org/u/shirsendu-mondal
[7] https://www.drupal.org/u/larowlan
[8] https://www.drupal.org/u/mcdruid
[9] https://www.drupal.org/u/mingsong
[10] https://www.drupal.org/u/damienmckenna
[11] https://www.drupal.org/u/greggles
[12] https://www.drupal.org/u/larowlan
[13] https://www.drupal.org/u/poker10
[14] https://www.drupal.org/u/xjm
[15] https://git.drupalcode.org/security/34-drupal-security/-/work_items/1
[16]  
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....