Medium severity6.1NVD Advisory· Published May 19, 2026· Updated May 20, 2026
CVE-2026-6365
CVE-2026-6365
Description
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).
This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.0.0, < 10.5.9 | 10.5.9 |
drupal/corePackagist | >= 10.6.0, < 10.6.7 | 10.6.7 |
drupal/corePackagist | >= 11.0.0, < 11.2.11 | 11.2.11 |
drupal/corePackagist | >= 11.3.0, < 11.3.7 | 11.3.7 |
Affected products
4- Range: >=8.0.0, <10.5.9 || >=10.6.0, <10.6.7 || >=11.0.0, <11.2.11 || >=11.3.0, <11.3.7
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-f3cj-mjqm-fhvjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-6365ghsaADVISORY
- www.drupal.org/sa-core-2026-001nvdVendor AdvisoryWEB
News mentions
1- Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001Drupal Security Advisories · Apr 15, 2026