Project: 
Date: 
2026-July-15
Vulnerability: 
Cross-site scripting
Affected versions: 
>=11.3.0 <11.3.14 || >=11.4.0 <11.4.4 || 11.2.*
CVE IDs: 
CVE-2026-15917
Description: 

Drupal core 11.2 and above integrate the HTMX JavaScript library.

Drupal core's XSS filter does not sufficiently sanitize certain HTMX attributes, which can lead to a cross-site scripting (XSS) vulnerability.

The vulnerability is mitigated by the fact an attacker must be able to insert HTML with specific attributes.

Solution: 

Install the latest version:

Drupal 11

  • If you use Drupal 11.4.x, update to Drupal 11.4.4.
  • If you use Drupal 11.3.x, update to Drupal 11.3.14.
  • Drupal 11.2.x and below are end-of-life and do not receive security coverage.

Drupal 10

  • Drupal 10 core is not affected. However, certain contributed modules may be affected, so a Drupal 10.6 fix is included as hardening.

Drupal 8 and Drupal 9 have both reached end-of-life.

Reported By: 
Fixed By: 
Coordinated By: