CVE-2026-6365: Drupal core is Vulnerable to Cross-Site Scripting
(updated )
Improper Neutralization of Input During Web Page Generation (“Cross-site Scripting”) vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).
This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-6365 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →