Drupal
Moderate fix4 remedies
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*
Moderate fix4 remedies
- >= 8.0.0, < 10.5.9
- >= 10.6.0, < 10.6.7
- >= 11.0.0, < 11.2.11
- >= 11.3.0, < 11.3.7
Drupal Core Cross-Site Scripting Vulnerability
Vulnerability
Patched
A cross-site scripting (XSS) vulnerability has been identified in Drupal Core. This issue arises from improper sanitization of certain options in the jQuery integration for AJAX modal dialog boxes, allowing for the injection of malicious scripts. The vulnerability affects Drupal Core versions 8.0.0 prior to 10.5.9, 10.6.0 prior to 10.6.7, 11.0.0 prior to 11.2.11, and 11.3.0 prior to 11.3.7.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.
Remediation
Users can update to the latest version of Drupal. For Drupal 10.5.x, update to Drupal 10.5.9. For Drupal 10.6.x, update to Drupal 10.6.7. For Drupal 11.2.x, update to Drupal 11.2.11. For Drupal 11.3.x, update to Drupal 11.3.7. Note that Drupal 11.1.x, 11.0.x, and 10.4.x and below are end-of-life and do not receive security coverage.
Added: May 19, 2026, 11:21 PM
Updated: May 19, 2026, 11:21 PM
Vulnerability Rating
Custom Algorithm
spread
7.6impact
1.7exploitability
6.4remediation
7.7relevance
8.8threat
0.0urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.