Project:
Date:
2026-April-15
Vulnerability:
Cross-site scripting
Affected versions:
>= 11.3.0 < 11.3.7
CVE IDs:
CVE-2026-6367
Description:
Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5.
The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user.
Solution:
Install the latest version:
- If you use Drupal 11.3.x, update to Drupal 11.3.7
- Drupal versions below 11.3 are not affected by this vulnerability
Reported By:
Fixed By:
- Lee Rowlands (larowlan) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Mingsong (mingsong), provisional member of the Drupal Security Team
Coordinated By:
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
