CVE-2026-6367EXPLOITEDPATCHED

drupal · drupal

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003

Description

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7.

Affected Products

Vendor	Product	Versions
drupal	drupal	11.3.0, multiple versions

References

https://www.drupal.org/sa-core-2026-003

Related News (4 articles)

Tier B

CCCS Canada6d ago

Drupal security advisory (AV26-492)

→ No new info (linked only)

Tier C

VulDB6d ago

CVE-2026-6367 | Drupal up to 11.3.6 cross site scripting (sa-core-2026-003)

→ No new info (linked only)

Tier B

BSI Advisories7d ago

[NEU] [hoch] Drupal Core: Schwachstelle ermöglicht nicht spezifizierten Angriff

→ No new info (linked only)

Tier B

CCCS Canada40d ago

Drupal security advisory (AV26-359)

→ No new info (linked only)

CVSS 3.16.1 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

11.3.7

CWECWE-79

PublishedMay 19, 2026

Last enriched6d agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-9082EXPKEV

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Trending: 158

CRITICALCVE-2026-8495

Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037

Trending: 27

NONECVE-2026-4929EXP

Simple Hierarchical Select (Drupal 7) XSS in term-derived output

Trending: 23

NONECVE-2026-4093EXP

Stored XSS in Drupal 7 Term Reference Tree module (token display templates and term labels)

Trending: 19

MEDIUMCVE-2026-6366EXP

Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002

Trending: 18

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 19, 2026

Discovered by ZDM

May 19, 2026

Updated: affectedVersions, severity, tags

May 20, 2026

Actively Exploited

May 20, 2026

Exploit Available

May 20, 2026

Patch Available

May 20, 2026

Version History

Last enriched 6d ago

v2Tier C6d ago

Updated affected versions to include 11.3.6, changed severity to MEDIUM, and added a new tag 'problematic'.

affectedVersionsseveritytags

via VulDB

v16d ago

Initial creation