Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001
Project: Drupal coreDate: 2026-April-15Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site scriptingAffected versions: >= 8.0.0 < 10.5.9 || >= 10.6.0 < 10.6.7 || >= 11.0.0 < 11.2.11 || >= 11.3.0 < 11.3.7CVE IDs: CVE-2026-6365Description: Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting (XSS) vulnerability.Solution: Install the latest version:
- If you use Drupal 10.5.x, update to Drupal 10.5.9.
- If you use Drupal 10.6.x, update to Drupal 10.6.7.
- If you use Drupal 11.2.x, update to Drupal 11.2.11.
- If you use Drupal 11.3.x, update to Drupal 11.3.7.
Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)Reported By:
Fixed By:
- Anna Kalata (akalata) of the Drupal Security Team
- Benji Fisher (benjifisher) of the Drupal Security Team
- Neil Drumm (drumm) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Michael Hess (mlhess) of the Drupal Security Team
- James Gilliland (neclimdul) of the Drupal Security Team
- Joseph Zhao (pandaski) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Ra Mänd (ram4nd), provisional member of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Pierre Rudloff (prudloff) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
