it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003
- Date: Wed, 15 Apr 2026 19:27:21 +0000
- Archived-at: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/message/PR2A66D7A4JHP6YJXSIFRDU45FO5TFEM/>
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=eFx35Bg4; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b=HHcnoGGG; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b="3P/QNIzf"; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 4832B42E0F
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 90F7F40051
- Dmarc-filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 90F7F40051
- Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
- List-archive: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-core-2026-003
Project: Drupal core [1]
Date: 2026-April-15
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross-site scripting
Affected versions: >= 11.3.0 < 11.3.7
CVE IDs: CVE-2026-6367
Description:
Drupal 11.3 comes with support for completing entity suggestions whilst
adding a link to CKEditor 5.
The suggestions aren't sufficiently sanitized and a malicious user could
trigger a stored cross site scripting attack against another user.
Solution:
Install the latest version:
* If you use Drupal 11.3.x, update to Drupal 11.3.7 [3]
* Drupal versions below 11.3 are not affected by this vulnerability
Reported By:
* cantina_security [4]
* Dries Buytaert (dries) [5]
* Shirsendu Mondal [6]
Fixed By:
* Lee Rowlands (larowlan) [7] of the Drupal Security Team
* Drew Webber (mcdruid) [8] of the Drupal Security Team
* Mingsong (mingsong) [9], provisional member of the Drupal Security Team
Coordinated By:
* Damien McKenna (damienmckenna) [10] of the Drupal Security Team
* Greg Knaddison (greggles) [11] of the Drupal Security Team
* Lee Rowlands (larowlan) [12] of the Drupal Security Team
* Juraj Nemec (poker10) [13] of the Drupal Security Team
* Jess (xjm) [14] of the Drupal Security Team
Security
issue: https://git.drupalcode.org/security/34-drupal-security/-/work_items/1
[15]
------------------------------------------------------------------------------
Contribution record [16]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/11.3.7
[4] https://www.drupal.org/u/cantina_security
[5] https://www.drupal.org/u/dries
[6] https://www.drupal.org/u/shirsendu-mondal
[7] https://www.drupal.org/u/larowlan
[8] https://www.drupal.org/u/mcdruid
[9] https://www.drupal.org/u/mingsong
[10] https://www.drupal.org/u/damienmckenna
[11] https://www.drupal.org/u/greggles
[12] https://www.drupal.org/u/larowlan
[13] https://www.drupal.org/u/poker10
[14] https://www.drupal.org/u/xjm
[15] https://git.drupalcode.org/security/34-drupal-security/-/work_items/1
[16] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3584598
_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at
- [IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003, security-news, 15.04.2026
Archiv bereitgestellt durch MHonArc 2.6.19+.