Drupal Core Vulnerable to Cross-Site Scripting via Layout Builder
A moderately critical cross-site scripting vulnerability has been identified in Drupal core's Layout Builder module, requiring specific user interaction for exploitation.

Drupal has released security advisory SA-CORE-2026-012, detailing a moderately critical cross-site scripting (XSS) vulnerability affecting its core Layout Builder module. The vulnerability, tracked as CVE-2026-55805, stems from insufficient sanitization of block labels within the module. This flaw could allow an attacker to inject malicious scripts into web pages viewed by other users.
The severity of the vulnerability is rated as moderately critical, with a CVSS score of 13/25. The advisory notes that exploitation requires a specific scenario: both the attacker and the targeted user must be actively using the Layout Builder editing interface. This condition significantly limits the potential impact, as it necessitates a compromised or malicious user with administrative or editor privileges within the Layout Builder environment.
Several versions of Drupal core are affected by this vulnerability. These include Drupal 10.6.x prior to version 10.6.13, and Drupal 11.3.x versions prior to 11.3.14, as well as Drupal 11.4.x versions prior to 11.4.4. Additionally, all versions within the 11.0.*, 11.1.*, and 11.2.* branches are also impacted. It is important to note that Drupal 11.2.x and earlier versions, along with Drupal 10.5.x and earlier, are considered end-of-life and no longer receive security updates.
Drupal has provided specific patch versions to address this issue. Users running Drupal 11.4.x should update to version 11.4.4. Those on Drupal 11.3.x should upgrade to 11.3.14. For Drupal 10 users, the recommended update is to version 10.6.13. Users of unsupported or end-of-life versions are strongly advised to upgrade to a supported and patched release to mitigate the risk.
The vulnerability was reported by haii haii (hai27ii2o) and fixed by a team including danielveza, Lee Rowlands, Mingsong, and James Gilliland, with coordination from Greg Knaddison, Lee Rowlands, Dave Long, and Jess of the Drupal Security Team. The coordinated effort ensures that the vulnerability is addressed responsibly and that patches are made available to the community.
While the exploit requires specific user interaction within the Layout Builder, the presence of an XSS vulnerability in a core module underscores the importance of regular security patching and vigilant monitoring of Drupal installations. Organizations using Drupal should prioritize applying these updates to protect their websites and user data from potential compromise.