DRUPAL-CORE-2026-003

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2026-003.json
JSON Data
https://api.test.osv.dev/v1/vulns/DRUPAL-CORE-2026-003
Aliases
  • CVE-2026-6367
Published
2026-04-15T19:27:21Z
Modified
2026-04-15T19:46:39.835222Z
Summary
[none]
Details

Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5.

The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user.

References
Credits

Affected packages

Packagist / drupal/core

Package

Name
drupal/core
Purl
pkg:composer/drupal/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.3.0
Fixed
11.3.7
Database specific 
{
    "constraint": ">= 11.3.0 < 11.3.7"
}

Affected versions

11.*
11.3.0
11.3.1
11.3.2
11.3.3
11.3.4
11.3.5
11.3.6

Database specific

affected_versions 
">= 11.3.0 < 11.3.7"
source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2026-003.json"