Drupal core – Moderately critical – Cross-site scripting – SA-CORE-2026-011

SecurityVulns

Project: Drupal coreDate: 2026-July-15Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site scriptingAffected versions: >=11.3.0 <11.3.14 || >=11.4.0 <11.4.4 || 11.2.*CVE IDs: CVE-2026-15917Description: Drupal core 11.2 and above integrate the HTMX JavaScript library.
Drupal core’s XSS filter does not sufficiently sanitize certain HTMX attributes, which can lead to a cross-site scripting (XSS) vulnerability.
The vulnerability is mitigated by the fact an attacker must be able to insert HTML with specific attributes.Solution: Install the latest version:
Drupal 11

If you use Drupal 11.4.x, update to Drupal 11.4.4.
If you use Drupal 11.3.x, update to Drupal 11.3.14.
Drupal 11.2.x and below are end-of-life and do not receive security coverage.

Drupal 10

Drupal 10 core is not affected. However, certain contributed modules may be affected, so a Drupal 10.6 fix is included as hardening.

Drupal 8 and Drupal 9 have both reached end-of-life.Reported By: 
Pierre Rudloff (prudloff) of the Drupal Security Team
Fixed By: 
Shawn Duncan (fathershawn)
Pierre Rudloff (prudloff) of the Drupal Security Team
Coordinated By: 
catch (catch) of the Drupal Security Team
Lee Rowlands (larowlan) of the Drupal Security Team
Dave Long (longwave) of the Drupal Security Team
Jess (xjm) of the Drupal Security TeamSecurity advisoriesRead More