Project: 
Date: 
2026-July-15
Vulnerability: 
Cross-site scripting
Affected versions: 
<10.6.13 || >=11.3.0 <11.3.14 || >=11.4.0 <11.4.4 || 11.0.* || 11.1.* || 11.2.*
CVE IDs: 
CVE-2026-55805
Description: 

The Layout Builder module doesn't sufficiently sanitize block labels in certain scenarios, which can lead to a cross-site scripting (XSS) vulnerability.

This is mitigated by the fact that both the attacker and the targeted user need to be using the Layout Builder editing interface.

Solution: 

Install the latest version:

Drupal 11

  • If you use Drupal 11.4.x, update to Drupal 11.4.4.
  • If you use Drupal 11.3.x, update to Drupal 11.3.14.
  • Drupal 11.2.x and below are end-of-life and do not receive security coverage.

Drupal 10

  • If you use Drupal 10.6.x, update to Drupal 10.6.13.
  • Drupal 10.5.x and below are end-of-life and do not receive security coverage.

Drupal 8 and Drupal 9 have both reached end-of-life.

Reported By: 
Fixed By: 
Coordinated By: