Skip to main content

Drupal Core EUVDEUVD-2026-31002

| CVE-2026-6367 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-19 drupal GHSA-pw6f-3999-xp7g
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 14:26 vuln.today
CVSS changed
May 20, 2026 - 14:22 NVD
6.1 (MEDIUM)
Patch available
May 19, 2026 - 23:02 EUVD
CVE Published
May 19, 2026 - 22:28 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).

This issue affects Drupal core: from 11.3.0 before 11.3.7.

AnalysisAI

Cross-site scripting in Drupal core 11.3.0 through 11.3.6 enables unauthenticated remote attackers to inject malicious scripts into web pages rendered by the application, which execute in victims' browsers upon user interaction. The CVSS Changed scope (S:C) indicator confirms the exploit crosses trust boundaries - attacker-controlled input rendered in the victim's browser context can compromise session tokens or trigger unauthorized actions. With EPSS at 0.03% (8th percentile) and no CISA KEV listing, widespread exploitation is not currently observed; a vendor patch is available in 11.3.7.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates that Drupal core's rendering pipeline fails to sanitize or encode user-controlled input before emitting it as HTML. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) classifies this as reflected or stored XSS with a Changed scope, meaning the vulnerability boundary and impact boundary differ - input accepted by the Drupal application is rendered and executed within the victim's browser security context. The CPE string cpe:2.3:a:drupal:drupal_core confirms the flaw resides in core Drupal (not a contributed module), affecting the 11.3.x release line specifically from 11.3.0 through 11.3.6. The exact core subsystem or rendering component is not identified in available data and would require review of SA-CORE-2026-003 for precision.

RemediationAI

Upgrade Drupal core to version 11.3.7 or later, which resolves this vulnerability per SA-CORE-2026-003 (https://www.drupal.org/sa-core-2026-003). The patch is confirmed available from the vendor; use composer update drupal/core or the Drupal admin update interface. If immediate upgrading is not feasible, deploying a Web Application Firewall with XSS filtering rules targeting the affected input vectors can serve as a compensating control, though WAF rules carry false-positive risk and can be bypassed by encoding variants - they do not substitute for patching. Additionally, restricting access to the vulnerable functionality or endpoint to authenticated, trusted roles only may reduce exposure given the UI:R requirement, though the exact affected endpoint is not confirmed from available data. Consult SA-CORE-2026-003 for component-specific mitigations.

Share

EUVD-2026-31002 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy