Drupal Core 11.3.0–11.3.6 Patches Stored XSS in CKEditor 5 Entity Suggestions (CVE-2026-6367)
Drupal has released version 11.3.7 to fix a moderately critical stored cross-site scripting vulnerability in CKEditor 5's entity suggestion feature, tracked as CVE-2026-6367.
Drupal published a security advisory on April 15, 2026, disclosing a stored cross-site scripting (XSS) vulnerability affecting Drupal core versions 11.3.0 through 11.3.6. The flaw, assigned CVE-2026-6367, resides in the entity suggestion feature within CKEditor 5, where user-supplied suggestions are not sufficiently sanitized before being stored and later rendered to other users. An attacker with the ability to create or edit content could inject malicious scripts that execute in the browsers of other editors or administrators viewing the suggestion.
The vulnerability is rated moderately critical with a CVSS-equivalent score of 13 out of 25, reflecting a theoretical attack vector that requires an authenticated user with some level of access. Drupal notes that versions below 11.3 are not affected, as the entity suggestion functionality was introduced in the 11.3 branch. The advisory credits cantina_security, Dries Buytaert, and Shirsendu Mondal for reporting the issue, while the fix was developed by Lee Rowlands, Drew Webber, and Mingsong of the Drupal Security Team.
Drupal has released version 11.3.7 to remediate the flaw. Users running any 11.3.x release are strongly advised to update immediately. No workarounds or mitigations have been provided for sites that cannot upgrade, making the patch the only reliable defense. The advisory does not indicate that the vulnerability has been exploited in the wild, but given the widespread use of Drupal for content management, the risk of targeted attacks remains.
This advisory arrives just weeks after Drupal warned of an upcoming "highly critical" emergency patch for all supported branches, scheduled for May 20, 2026. That forthcoming patch addresses a separate, more severe vulnerability that Drupal warned could see exploit code within hours or days of disclosure. The current CVE-2026-6367 fix is unrelated to that upcoming emergency release, but the proximity underscores the importance of maintaining up-to-date Drupal installations.
Stored XSS vulnerabilities in rich-text editors are particularly dangerous because they can persist in content that is viewed by multiple users, including administrators with elevated privileges. The CKEditor 5 integration in Drupal 11.3 introduced powerful editing capabilities, but this incident highlights the security challenges of complex client-side features. Organizations using Drupal should prioritize the 11.3.7 update and prepare for the May 20 emergency patch to stay protected against the evolving threat landscape.