Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).
This issue affects Drupal core: from 11.3.0 before 11.3.7.
AnalysisAI
Cross-site scripting in Drupal core 11.3.0 through 11.3.6 enables unauthenticated remote attackers to inject malicious scripts into web pages rendered by the application, which execute in victims' browsers upon user interaction. The CVSS Changed scope (S:C) indicator confirms the exploit crosses trust boundaries - attacker-controlled input rendered in the victim's browser context can compromise session tokens or trigger unauthorized actions. With EPSS at 0.03% (8th percentile) and no CISA KEV listing, widespread exploitation is not currently observed; a vendor patch is available in 11.3.7.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates that Drupal core's rendering pipeline fails to sanitize or encode user-controlled input before emitting it as HTML. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) classifies this as reflected or stored XSS with a Changed scope, meaning the vulnerability boundary and impact boundary differ - input accepted by the Drupal application is rendered and executed within the victim's browser security context. The CPE string cpe:2.3:a:drupal:drupal_core confirms the flaw resides in core Drupal (not a contributed module), affecting the 11.3.x release line specifically from 11.3.0 through 11.3.6. The exact core subsystem or rendering component is not identified in available data and would require review of SA-CORE-2026-003 for precision.
RemediationAI
Upgrade Drupal core to version 11.3.7 or later, which resolves this vulnerability per SA-CORE-2026-003 (https://www.drupal.org/sa-core-2026-003). The patch is confirmed available from the vendor; use composer update drupal/core or the Drupal admin update interface. If immediate upgrading is not feasible, deploying a Web Application Firewall with XSS filtering rules targeting the affected input vectors can serve as a compensating control, though WAF rules carry false-positive risk and can be bypassed by encoding variants - they do not substitute for patching. Additionally, restricting access to the vulnerable functionality or endpoint to authenticated, trusted roles only may reduce exposure given the UI:R requirement, though the exact affected endpoint is not confirmed from available data. Consult SA-CORE-2026-003 for component-specific mitigations.
More in Drupal Core
View allSQL injection in Drupal Core across six major version branches (8.9.0 through 11.3.x) enables remote unauthenticated att
Object injection in Drupal Core across branches 8.0.0 through 11.3.x allows a network-accessible, highly privileged auth
Cross-site scripting in Drupal Core exposes a broad range of Drupal installations - spanning major versions 8 through 11
Object injection in Drupal Core through improperly controlled modification of dynamically-determined object attributes (
Object injection via a mass assignment flaw in Drupal Core enables an authenticated administrator to manipulate dynamica
Open redirect in Drupal Core across multiple major release branches enables phishing and content spoofing attacks by for
Cross-site scripting (XSS) in Drupal Core affects a broad swath of the 10.x and 11.x release lines, enabling an authenti
Server-Side Request Forgery in Drupal Core allows authenticated low-privilege users to coerce the application server int
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31002
GHSA-pw6f-3999-xp7g