[IT-SecNots] [Security-news] Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-core-2026-001

Project: Drupal core [1]
Date: 2026-April-15
Security risk: *Critical* 15 ∕ 25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross-site scripting

Affected versions: >= 8.0.0 < 10.5.9 || >= 10.6.0 < 10.6.7 || >= 11.0.0 <
11.2.11 || >= 11.3.0 < 11.3.7
CVE IDs: CVE-2026-6365
Description: 
Drupal core's jQuery integration for AJAX modal dialog boxes does not
sufficiently sanitize certain options, which which can lead to a cross-site
scripting (XSS) vulnerability.

Solution: 
Install the latest version:

 * If you use Drupal 10.5.x, update to Drupal 10.5.9 [3].
 * If you use Drupal 10.6.x, update to Drupal 10.6.7 [4].
 * If you use Drupal 11.2.x, update to Drupal 11.2.11 [5].
 * If you use Drupal 11.3.x, update to Drupal 11.3.7 [6].

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do
not receive security coverage. (Drupal 8 [7] and Drupal 9 [8] have both
reached end-of-life.)

Reported By: 
 * Murat Kekiç (murat_kekic) [9]

Fixed By: 
 * Anna Kalata (akalata) [10] of the Drupal Security Team
 * Benji Fisher (benjifisher) [11] of the Drupal Security Team
 * Neil Drumm (drumm) [12] of the Drupal Security Team
 * Lee Rowlands (larowlan) [13] of the Drupal Security Team
 * Michael Hess (mlhess) [14] of the Drupal Security Team
 * James Gilliland (neclimdul) [15] of the Drupal Security Team
 * Joseph Zhao (pandaski) [16] of the Drupal Security Team
 * Juraj Nemec (poker10) [17] of the Drupal Security Team
 * Ra Mänd (ram4nd) [18], provisional member of the Drupal Security Team
 * Jess  (xjm) [19] of the Drupal Security Team

Coordinated By: 
 * Greg Knaddison (greggles) [20] of the Drupal Security Team
 * Lee Rowlands (larowlan) [21] of the Drupal Security Team
 * Pierre Rudloff (prudloff) [22] of the Drupal Security Team
 * Jess  (xjm) [23] of the Drupal Security Team

Security
issue: https://git.drupalcode.org/security/11-drupal-security/-/issues/1
[24]
------------------------------------------------------------------------------
Contribution record [25]

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/10.5.9
[4] https://www.drupal.org/project/drupal/releases/10.6.7
[5] https://www.drupal.org/project/drupal/releases/11.2.11
[6] https://www.drupal.org/project/drupal/releases/11.3.7
[7] https://www.drupal.org/psa-2021-06-29
[8] https://www.drupal.org/psa-2023-11-01
[9] https://www.drupal.org/u/murat_kekic
[10] https://www.drupal.org/u/akalata
[11] https://www.drupal.org/u/benjifisher
[12] https://www.drupal.org/u/drumm
[13] https://www.drupal.org/u/larowlan
[14] https://www.drupal.org/u/mlhess
[15] https://www.drupal.org/u/neclimdul
[16] https://www.drupal.org/u/pandaski
[17] https://www.drupal.org/u/poker10
[18] https://www.drupal.org/u/ram4nd
[19] https://www.drupal.org/u/xjm
[20] https://www.drupal.org/u/greggles
[21] https://www.drupal.org/u/larowlan
[22] https://www.drupal.org/u/prudloff
[23] https://www.drupal.org/u/xjm
[24] https://git.drupalcode.org/security/11-drupal-security/-/issues/1
[25]  
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3584021

_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at