Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Network-accessible CMS requiring low-privilege auth to inject; victim interaction required for execution; scope change reflects browser origin boundary crossing with limited C and I impact.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
AnalysisAI
Cross-site scripting (XSS) in Drupal Core affects a broad swath of the 10.x and 11.x release lines, enabling an authenticated low-privileged attacker to inject malicious client-side script that executes in the browser of a victim who interacts with the crafted content. The CVSS scope-change indicator (S:C) confirms the impact escapes the originating component into the victim's browser context, enabling session hijacking or privilege escalation against higher-privileged users. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold at least a low-privilege authenticated account on the Drupal site - a role with permission to create or edit content (e.g., anonymous content submission is insufficient per PR:L in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The overall CVSS base score of 5.4 (Medium) is appropriate given the PR:L and UI:R constraints that meaningfully gate exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated contributor or editor-level Drupal user crafts a page, node, or field value containing an obfuscated JavaScript payload that bypasses Drupal's input filtering due to the unpatched CWE-79 flaw, then saves it to the site. When an administrator or another privileged user navigates to that content in their browser, the injected script silently executes, exfiltrates the victim's session cookie to an attacker-controlled server, and replays it to assume full administrative control of the Drupal site. … |
| Remediation | Patch is available per the official Drupal Security Advisory SA-CORE-2026-009 at https://www.drupal.org/sa-core-2026-009. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Drupal Core
View allSQL injection in Drupal Core across six major version branches (8.9.0 through 11.3.x) enables remote unauthenticated att
Object injection in Drupal Core across branches 8.0.0 through 11.3.x allows a network-accessible, highly privileged auth
Cross-site scripting in Drupal core 11.3.0 through 11.3.6 enables unauthenticated remote attackers to inject malicious s
Cross-site scripting in Drupal Core exposes a broad range of Drupal installations - spanning major versions 8 through 11
Object injection in Drupal Core through improperly controlled modification of dynamically-determined object attributes (
Object injection via a mass assignment flaw in Drupal Core enables an authenticated administrator to manipulate dynamica
Open redirect in Drupal Core across multiple major release branches enables phishing and content spoofing attacks by for
Server-Side Request Forgery in Drupal Core allows authenticated low-privilege users to coerce the application server int
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43085
GHSA-9wh5-5mcm-hf2j