Description
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7.
Problem types
CWE-79 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Product status
11.3.0 (semver) before 11.3.7
Credits
cantina_security
Dries Buytaert (dries)
Shirsendu Mondal
Lee Rowlands (larowlan)
Drew Webber (mcdruid)
Mingsong (mingsong)
Damien McKenna (damienmckenna)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Juraj Nemec (poker10)
Jess (xjm)
Dmitrijs Trizna (dtrizna)
References
www.drupal.org/sa-core-2026-003