CVE-2026-6367

Name of the Vulnerable Software and Affected Versions Drupal core versions 11.3.0 through 11.3.6

Description Drupal core contains an issue where entity suggestions provided during the process of adding a link to CKEditor 5 are not sufficiently sanitized. This allows a malicious user to trigger a stored cross-site scripting (XSS) attack against other users. Cross-site scripting is a flaw where an application includes untrusted data in a web page without proper validation, allowing attackers to execute malicious scripts in the victim's browser.

Recommendations Update to version 11.3.7.