Drupal · Drupal · CVE-2026-6367
**Name of the Vulnerable Software and Affected Versions**
Drupal core versions 11.3.0 through 11.3.6
**Description**
Drupal core contains an issue where entity suggestions provided during the process of adding a link to CKEditor 5 are not sufficiently sanitized. This allows a malicious user to trigger a stored cross-site scripting (XSS) attack against other users. Cross-site scripting is a flaw where an application includes untrusted data in a web page without proper validation, allowing attackers to execute malicious scripts in the victim's browser.
**Recommendations**
Update to version 11.3.7.