Critical XSS Vulnerability Patched in Drupal Core Across All Supported Branches
Drupal has released emergency security updates to fix a critical cross-site scripting vulnerability (CVE-2026-6365) in core's AJAX modal dialog jQuery integration, affecting versions 8.0.0 through 11.3.6.
Drupal's security team has issued an urgent patch for a critical cross-site scripting (XSS) vulnerability in Drupal core, tracked as CVE-2026-6365. The flaw resides in the jQuery integration for AJAX modal dialog boxes, where insufficient sanitization of certain options allows attackers to inject arbitrary scripts. This could enable malicious actors to execute JavaScript in the context of a victim's session, potentially leading to data theft, session hijacking, or further compromise.
The vulnerability affects all Drupal core versions from 8.0.0 up to, but not including, the patched releases: 10.5.9, 10.6.7, 11.2.11, and 11.3.7. Notably, Drupal 8 and 9 have reached end-of-life and will not receive a fix, leaving sites on those branches exposed. The Drupal Security Team has rated the risk as critical with a CVSS base score of 15 out of 25, citing complexity as 'complex' and exploitation as 'theoretical' at the time of disclosure.
Administrators are strongly advised to update immediately to the appropriate patched version. For those on Drupal 10.5.x, upgrade to 10.5.9; 10.6.x users should move to 10.6.7; 11.2.x to 11.2.11; and 11.3.x to 11.3.7. Sites running Drupal 11.1.x, 11.0.x, 10.4.x, or earlier unsupported branches are urged to upgrade to a supported release as soon as possible.
The vulnerability was reported by Murat Kekiç and fixed by a team including Anna Kalata, Benji Fisher, Neil Drumm, Lee Rowlands, Michael Hess, James Gilliland, Joseph Zhao, Juraj Nemec, Ra Mänd, and Jess (xjm), coordinated by Greg Knaddison, Lee Rowlands, Pierre Rudloff, and Jess. The coordinated disclosure process ensured patches were ready before public announcement.
This advisory follows a prior warning from Drupal on April 14, 2026, about an upcoming 'highly critical' security release. The Drupal Security Team had cautioned that exploit code could appear within hours or days of disclosure, underscoring the urgency of applying the patch. Given Drupal's widespread use in government, education, and enterprise, unpatched sites are attractive targets for attackers seeking to deface websites, steal credentials, or deploy malware.
Organizations running Drupal should prioritize this update as part of their vulnerability management process. The XSS flaw is the latest in a series of critical vulnerabilities in popular content management systems, highlighting the ongoing need for rapid patch deployment and robust web application security practices.