Project:
Date:
2026-April-15
Vulnerability:
Cross-site scripting
Affected versions:
>= 8.0.0 < 10.5.9 || >= 10.6.0 < 10.6.7 || >= 11.0.0 < 11.2.11 || >= 11.3.0 < 11.3.7
CVE IDs:
CVE-2026-6365
Description:
Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting (XSS) vulnerability.
Solution:
Install the latest version:
- If you use Drupal 10.5.x, update to Drupal 10.5.9.
- If you use Drupal 10.6.x, update to Drupal 10.6.7.
- If you use Drupal 11.2.x, update to Drupal 11.2.11.
- If you use Drupal 11.3.x, update to Drupal 11.3.7.
Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By:
Fixed By:
- Anna Kalata (akalata) of the Drupal Security Team
- Benji Fisher (benjifisher) of the Drupal Security Team
- Neil Drumm (drumm) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Michael Hess (mlhess) of the Drupal Security Team
- James Gilliland (neclimdul) of the Drupal Security Team
- Joseph Zhao (pandaski) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Ra Mänd (ram4nd), provisional member of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Pierre Rudloff (prudloff) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
