Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).
This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
AnalysisAI
Cross-site scripting in Drupal Core exposes a broad range of Drupal installations - spanning major versions 8 through 11 - to client-side script injection exploitable by unauthenticated remote attackers who can induce user interaction. The Changed scope (S:C) in the CVSS vector confirms the injected script executes in the context of a victim's browser session, enabling session hijacking, credential theft, or malicious redirects against authenticated users including administrators. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (8th percentile) signals low near-term exploitation probability, though the breadth of affected versions across three major release lines increases the aggregate attack surface.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates Drupal Core fails to adequately sanitize or encode attacker-controlled input before rendering it within HTML pages served to end users. The CVSS vector's Changed Scope (S:C) is characteristic of reflected or stored XSS where the vulnerable component (the Drupal application) generates a page that executes script in the browser security context of a different user, breaking the same-origin boundary. The affected CPE (cpe:2.3:a:drupal:drupal_core:*:*:*:*:*:*:*:*) spans Drupal Core across all platforms and architectures. The wide version range - from 8.0.0 through current 11.3.x - suggests the vulnerable code path exists in a long-lived core rendering component. The Drupal security team self-reported this issue via SA-CORE-2026-001, consistent with a proactive internal audit rather than external researcher disclosure.
RemediationAI
The primary fix is to upgrade Drupal Core to a patched release: 10.5.9 or later for the 10.5.x branch, 10.6.7 or later for the 10.6.x branch, 11.2.11 or later for the 11.2.x branch, or 11.3.7 or later for the 11.3.x branch. Full details and upgrade guidance are available in the Drupal security advisory at https://www.drupal.org/sa-core-2026-001. Sites running Drupal 8.x or 9.x that are already end-of-life should treat any 10.5.9-equivalent backport with caution - migrating to a supported branch (10.6.x or 11.3.x) is strongly preferred. If immediate patching is not feasible, a compensating control is to restrict access to the specific vulnerable endpoint or page type at the web server or WAF layer with XSS-targeted rules (e.g., ModSecurity OWASP CRS), though this may interfere with legitimate rich-text or form-based functionality and is not a substitute for patching. Content Security Policy (CSP) headers configured to disallow inline scripts can also limit the impact of XSS exploitation but require careful testing to avoid breaking Drupal's JavaScript-dependent UI components.
More in Drupal Core
View allSQL injection in Drupal Core across six major version branches (8.9.0 through 11.3.x) enables remote unauthenticated att
Object injection in Drupal Core across branches 8.0.0 through 11.3.x allows a network-accessible, highly privileged auth
Cross-site scripting in Drupal core 11.3.0 through 11.3.6 enables unauthenticated remote attackers to inject malicious s
Object injection in Drupal Core through improperly controlled modification of dynamically-determined object attributes (
Object injection via a mass assignment flaw in Drupal Core enables an authenticated administrator to manipulate dynamica
Open redirect in Drupal Core across multiple major release branches enables phishing and content spoofing attacks by for
Cross-site scripting (XSS) in Drupal Core affects a broad swath of the 10.x and 11.x release lines, enabling an authenti
Server-Side Request Forgery in Drupal Core allows authenticated low-privilege users to coerce the application server int
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31000
GHSA-f3cj-mjqm-fhvj