CVE-2026-55808 PUBLISHED

Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009

Assigner: drupal
Reserved: 17.06.2026 Published: 10.07.2026 Updated: 10.07.2026

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0., from 0.0.0 to 11.1..

Product Status

Vendor Drupal
Product Drupal core
Versions
  • affected from 0.0.0 to 10.5.12 (excl.)
  • affected from 10.6.0 to 10.6.11 (excl.)
  • affected from 11.2.0 to 11.2.14 (excl.)
  • affected from 11.3.0 to 11.3.12 (excl.)
  • affected from 0.0.0 to 11.0.* (excl.)
  • affected from 0.0.0 to 11.1.* (excl.)

Credits

  • cantina_security finder
  • Björn Brala (bbrala) remediation developer
  • Kim Pepper (kim.pepper) remediation developer
  • Lee Rowlands (larowlan) remediation developer
  • Damien McKenna (damienmckenna) coordinator
  • Greg Knaddison (greggles) coordinator
  • Lee Rowlands (larowlan) coordinator
  • Dave Long (longwave) coordinator
  • Juraj Nemec (poker10) coordinator
  • Jess (xjm) coordinator

References

Problem Types

  • CWE-79 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") CWE

Impacts

  • CAPEC-63 Cross-Site Scripting (XSS)