Medium severity6.1NVD Advisory· Published May 19, 2026· Updated May 20, 2026
CVE-2026-6367
CVE-2026-6367
Description
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).
This issue affects Drupal core: from 11.3.0 before 11.3.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 11.3.0, < 11.3.7 | 11.3.7 |
Affected products
4- Range: >=11.3.0, <11.3.7
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-pw6f-3999-xp7gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-6367ghsaADVISORY
- www.drupal.org/sa-core-2026-003nvdVendor AdvisoryWEB
News mentions
1- Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003Drupal Security Advisories · Apr 15, 2026