Skip to main content

Drupal Core EUVDEUVD-2026-43085

| CVE-2026-55808 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-10 drupal GHSA-9wh5-5mcm-hf2j
5.4
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Network-accessible CMS requiring low-privilege auth to inject; victim interaction required for execution; scope change reflects browser origin boundary crossing with limited C and I impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jul 13, 2026 - 19:50 vuln.today
CVSS changed
Jul 13, 2026 - 19:22 NVD
5.4 (MEDIUM)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:46 cve.org
MEDIUM 5.4
CVE Published
Jul 10, 2026 - 21:46 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.

AnalysisAI

Cross-site scripting (XSS) in Drupal Core affects a broad swath of the 10.x and 11.x release lines, enabling an authenticated low-privileged attacker to inject malicious client-side script that executes in the browser of a victim who interacts with the crafted content. The CVSS scope-change indicator (S:C) confirms the impact escapes the originating component into the victim's browser context, enabling session hijacking or privilege escalation against higher-privileged users. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege Drupal account
Delivery
Inject JavaScript payload into content field
Exploit
Victim navigates to malicious content
Execution
XSS executes in victim's browser
Persist
Session token exfiltrated to attacker
Impact
Attacker replays session as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold at least a low-privilege authenticated account on the Drupal site - a role with permission to create or edit content (e.g., anonymous content submission is insufficient per PR:L in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The overall CVSS base score of 5.4 (Medium) is appropriate given the PR:L and UI:R constraints that meaningfully gate exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated contributor or editor-level Drupal user crafts a page, node, or field value containing an obfuscated JavaScript payload that bypasses Drupal's input filtering due to the unpatched CWE-79 flaw, then saves it to the site. When an administrator or another privileged user navigates to that content in their browser, the injected script silently executes, exfiltrates the victim's session cookie to an attacker-controlled server, and replays it to assume full administrative control of the Drupal site. …
Remediation Patch is available per the official Drupal Security Advisory SA-CORE-2026-009 at https://www.drupal.org/sa-core-2026-009. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43085 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy