VYPR
patchPublished Jul 15, 2026· 1 source

Drupal Core Vulnerable to Cross-Site Scripting via HTMX Attributes

Drupal core versions 11.2.x, 11.3.x, and 11.4.x contain a moderately critical cross-site scripting vulnerability due to insufficient sanitization of certain HTMX attributes.

Drupal core versions 11.2.x, 11.3.x, and 11.4.x are affected by a moderately critical cross-site scripting (XSS) vulnerability, identified as CVE-2026-15917. The issue arises from the way Drupal core's XSS filter handles certain attributes when using the integrated HTMX JavaScript library.

Specifically, the vulnerability occurs because the XSS filter does not sufficiently sanitize specific HTMX attributes. This oversight can potentially lead to cross-site scripting attacks, allowing an attacker to inject malicious scripts into web pages viewed by other users. The severity is mitigated by the requirement that an attacker must be able to insert HTML with particular attributes to successfully exploit the flaw.

The affected versions include Drupal 11.2.*, versions of Drupal 11.3.x prior to 11.3.14, and versions of Drupal 11.4.x prior to 11.4.4. Drupal 11.3.14 and Drupal 11.4.4 are the patched releases that address this vulnerability. Users running earlier versions within these ranges are strongly advised to update immediately.

Drupal 10 core is not impacted by this specific vulnerability. However, the Drupal Security Team has included a hardening fix in Drupal 10.6 as a precautionary measure, acknowledging that some contributed modules might still be susceptible. Drupal 8 and Drupal 9 have both reached their end-of-life and no longer receive security support.

The vulnerability was reported by Pierre Rudloff of the Drupal Security Team, and the fix was implemented by Shawn Duncan, also of the Drupal Security Team. The coordinated disclosure and release process involved several key members of the Drupal Security Team, including catch, Lee Rowlands, Dave Long, and Jess.

This discovery highlights the ongoing challenges in securing complex web applications that integrate third-party libraries. While HTMX offers powerful dynamic capabilities, developers must remain vigilant about the security implications of attribute handling and sanitization, especially when dealing with user-generated content or dynamic attribute injection.

Users are urged to apply the provided updates to Drupal 11.3.14 or 11.4.4 as soon as possible to protect their sites from potential XSS attacks. For those on unsupported versions of Drupal 11.2.x or earlier, upgrading to a supported and patched version is critical for maintaining security.

Synthesized by Vypr AI