Drupal XSS Vulnerability 11.3.011.3.6
CVE-2026-6367 Published on May 19, 2026
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).
This issue affects Drupal core: from 11.3.0 before 11.3.7.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-6367 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-6367
Want to know whenever a new CVE is published for Drupal? stack.watch will email you.
Affected Versions
Drupal core:- Version 11.3.0 and below 11.3.7 is affected.