[CIVN-2026-0367] Multiple Vulnerabilities in Drupal

By Published On: July 17, 2026

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256


Multiple Vulnerabilities in Drupal


Indian – Computer Emergency Response Team (https://www.cert-in.org.in)


Severity Rating: HIGH


Software Affected


Drupal Core version prior to 10.6.13

Drupal Core versions 11.3.0 to 11.3.13

Drupal Core versions 11.4.0 to 11.4.3

Drupal Core versions 11.0.x

Drupal Core versions 11.1.x

Drupal Core versions 11.2.x

Overview


Multiple vulnerabilities have been reported in Drupal core which could allow an attacker to disclose sensitive information and perform cross-site scripting (XSS) attacks on the targeted system.


Target Audience:

Individuals and end-user organizations using Drupal.


Risk Assessment:

High risk of unauthorized access, cross-site scripting (XSS) attacks.


Impact Assessment:

Potential for data exposure, unauthorized access to sensitive information and potential compromise of system.


Description


Drupal is an open-source, content management system (CMS) which allows individuals and organizations to create, manage and maintain websites and web applications.


These vulnerabilities exist in a Drupal core due to insufficient access check for image style derivatives, improper sanitization of certain HTMX attributes and improper sanitisation of block labels in certain scenarios. An attacker could exploit these vulnerabilities by sending specially crafted inputs.


Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information and perform cross-site scripting (XSS) attacks on the targeted system.

Note: Drupal 10.5.x, Drupal 11.2.x and all prior releases have reached end-of-life and no longer receive security support. Drupal 8 and Drupal 9 have also reached end-of-life.


Solution


Upgrade to the latest versions as mentioned in the security advisories:

https://www.drupal.org/sa-core-2026-010


https://www.drupal.org/sa-core-2026-011


https://www.drupal.org/sa-core-2026-012



Vendor Information


Drupal

https://www.drupal.org


References


Drupal

https://www.drupal.org/sa-core-2026-010

https://www.drupal.org/sa-core-2026-011

https://www.drupal.org/sa-core-2026-012


CVE Name

CVE-2026-15916

CVE-2026-15917

CVE-2026-55805




– —


Thanks and Regards,

CERT-In


Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS


Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–


iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmpaLE0ACgkQ3jCgcSdc

ys/Uag//eTLg+bv3JYp4KUdk76oxWvmx9Ma4o2YNFguIk44LWHFtjI7nMdry3lfR

byYCrg4xPxVy3cP3PdBQqGpBr5riIdAOX3+TTfvWQ15uAlhOLU/LmedWxPUsx9be

oD1s6snyjlzdOCNilbNoDovVos3QbA36FJgUWgFEPJNP3H0Es3I2XrhpfmA1rQgZ

jXwBdhbIfYeGjFXphgOOE4wKmjAgbVvQi5kCrJjBqNikRrtKfuTQzYsePw7GQep0

QLrbPl94hCDjbhr0Hj+nOdt9/Hrizbue1QaD6wDAnYQpHvdrn4hld4WICvBhxlwh

J8ZqRRk9mx76k8hnoOJX4jr/gBhLLkWeAW2k1MfRm8gTVrmbdGjRx+dm5baU4N8U

INZV6m8K6otOQbf3zLR7JeCRFdvj3eHJxD5xmro1cf4NLXxoG4sGsYtrRx7gOMl/

PqlzzqDnDoE5FhxWlYV8fglalwuJ5QNnOP9DyMOySVytF1Ug7EsZ9ZtxF1n3pHmE

myLVJ8bKSUO/5OLzHc+9rBaHC5wdQXt8hKysIomCQCisgTwev0DwIbyDVZ8LigS2

Z0UqQugXsN1Xl1MpOSW7tGXoU+nETcPCk/wRuDyQeMCrGd8AOjg1AYv/Sxr0dDek

mUcmytNHkFeKhVx+jU1KiiYyTFhLNSeK1nOch1DrcvI6DJYXwlI=

=z/M1

—–END PGP SIGNATURE—–

Share this article