Skip to main content

Drupal Core EUVDEUVD-2026-31000

| CVE-2026-6365 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-19 drupal GHSA-f3cj-mjqm-fhvj
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 14:25 vuln.today
CVSS changed
May 20, 2026 - 14:22 NVD
6.1 (MEDIUM)
Patch available
May 19, 2026 - 23:02 EUVD
CVE Published
May 19, 2026 - 22:27 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).

This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.

AnalysisAI

Cross-site scripting in Drupal Core exposes a broad range of Drupal installations - spanning major versions 8 through 11 - to client-side script injection exploitable by unauthenticated remote attackers who can induce user interaction. The Changed scope (S:C) in the CVSS vector confirms the injected script executes in the context of a victim's browser session, enabling session hijacking, credential theft, or malicious redirects against authenticated users including administrators. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (8th percentile) signals low near-term exploitation probability, though the breadth of affected versions across three major release lines increases the aggregate attack surface.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates Drupal Core fails to adequately sanitize or encode attacker-controlled input before rendering it within HTML pages served to end users. The CVSS vector's Changed Scope (S:C) is characteristic of reflected or stored XSS where the vulnerable component (the Drupal application) generates a page that executes script in the browser security context of a different user, breaking the same-origin boundary. The affected CPE (cpe:2.3:a:drupal:drupal_core:*:*:*:*:*:*:*:*) spans Drupal Core across all platforms and architectures. The wide version range - from 8.0.0 through current 11.3.x - suggests the vulnerable code path exists in a long-lived core rendering component. The Drupal security team self-reported this issue via SA-CORE-2026-001, consistent with a proactive internal audit rather than external researcher disclosure.

RemediationAI

The primary fix is to upgrade Drupal Core to a patched release: 10.5.9 or later for the 10.5.x branch, 10.6.7 or later for the 10.6.x branch, 11.2.11 or later for the 11.2.x branch, or 11.3.7 or later for the 11.3.x branch. Full details and upgrade guidance are available in the Drupal security advisory at https://www.drupal.org/sa-core-2026-001. Sites running Drupal 8.x or 9.x that are already end-of-life should treat any 10.5.9-equivalent backport with caution - migrating to a supported branch (10.6.x or 11.3.x) is strongly preferred. If immediate patching is not feasible, a compensating control is to restrict access to the specific vulnerable endpoint or page type at the web server or WAF layer with XSS-targeted rules (e.g., ModSecurity OWASP CRS), though this may interfere with legitimate rich-text or form-based functionality and is not a substitute for patching. Content Security Policy (CSP) headers configured to disallow inline scripts can also limit the impact of XSS exploitation but require careful testing to avoid breaking Drupal's JavaScript-dependent UI components.

Share

EUVD-2026-31000 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy