Drupal core – Critical – Cross-site scripting – SA-CORE-2026-001

Project: Drupal coreDate: 2026-April-15Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site scriptingAffected versions: >= 8.0.0 < 10.5.9 || >= 10.6.0 < 10.6.7 || >= 11.0.0 < 11.2.11 || >= 11.3.0 < 11.3.7CVE IDs: CVE-2026-6365Description: Drupal core’s jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting (XSS) vulnerability.Solution: Install the latest version:

If you use Drupal 10.5.x, update to Drupal 10.5.9.
If you use Drupal 10.6.x, update to Drupal 10.6.7.
If you use Drupal 11.2.x, update to Drupal 11.2.11.
If you use Drupal 11.3.x, update to Drupal 11.3.7.

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)Reported By: 
Murat Kekiç (murat_kekic)
Fixed By: 
Anna Kalata (akalata) of the Drupal Security Team
Benji Fisher (benjifisher) of the Drupal Security Team
Neil Drumm (drumm) of the Drupal Security Team
Lee Rowlands (larowlan) of the Drupal Security Team
Michael Hess (mlhess) of the Drupal Security Team
James Gilliland (neclimdul) of the Drupal Security Team
Joseph Zhao (pandaski) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Ra Mänd (ram4nd), provisional member of the Drupal Security Team
Jess (xjm) of the Drupal Security Team
Coordinated By: 
Greg Knaddison (greggles) of the Drupal Security Team
Lee Rowlands (larowlan) of the Drupal Security Team
Pierre Rudloff (prudloff) of the Drupal Security Team
Jess (xjm) of the Drupal Security TeamSecurity advisoriesRead More