
[CIVN-2026-0367] Multiple Vulnerabilities in Drupal
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
Multiple Vulnerabilities in Drupal
Indian – Computer Emergency Response Team (https://www.cert-in.org.in)
Severity Rating: HIGH
Software Affected
Drupal Core version prior to 10.6.13
Drupal Core versions 11.3.0 to 11.3.13
Drupal Core versions 11.4.0 to 11.4.3
Drupal Core versions 11.0.x
Drupal Core versions 11.1.x
Drupal Core versions 11.2.x
Overview
Multiple vulnerabilities have been reported in Drupal core which could allow an attacker to disclose sensitive information and perform cross-site scripting (XSS) attacks on the targeted system.
Target Audience:
Individuals and end-user organizations using Drupal.
Risk Assessment:
High risk of unauthorized access, cross-site scripting (XSS) attacks.
Impact Assessment:
Potential for data exposure, unauthorized access to sensitive information and potential compromise of system.
Description
Drupal is an open-source, content management system (CMS) which allows individuals and organizations to create, manage and maintain websites and web applications.
These vulnerabilities exist in a Drupal core due to insufficient access check for image style derivatives, improper sanitization of certain HTMX attributes and improper sanitisation of block labels in certain scenarios. An attacker could exploit these vulnerabilities by sending specially crafted inputs.
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information and perform cross-site scripting (XSS) attacks on the targeted system.
Note: Drupal 10.5.x, Drupal 11.2.x and all prior releases have reached end-of-life and no longer receive security support. Drupal 8 and Drupal 9 have also reached end-of-life.
Solution
Upgrade to the latest versions as mentioned in the security advisories:
https://www.drupal.org/sa-core-2026-010
https://www.drupal.org/sa-core-2026-011
https://www.drupal.org/sa-core-2026-012
Vendor Information
Drupal
https://www.drupal.org
References
Drupal
https://www.drupal.org/sa-core-2026-010
https://www.drupal.org/sa-core-2026-011
https://www.drupal.org/sa-core-2026-012
CVE Name
CVE-2026-15916
CVE-2026-15917
CVE-2026-55805
– —
Thanks and Regards,
CERT-In
Incident Response Help Desk
e-mail: incident@cert-in.org.in
Phone: +91-11-22902657
Toll Free Number: 1800-11-4949
Toll Free Fax : 1800-11-6969
Web: http://www.cert-in.org.in
PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4
PGP Key information:
https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
—–BEGIN PGP SIGNATURE—–
iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmpaLE0ACgkQ3jCgcSdc
ys/Uag//eTLg+bv3JYp4KUdk76oxWvmx9Ma4o2YNFguIk44LWHFtjI7nMdry3lfR
byYCrg4xPxVy3cP3PdBQqGpBr5riIdAOX3+TTfvWQ15uAlhOLU/LmedWxPUsx9be
oD1s6snyjlzdOCNilbNoDovVos3QbA36FJgUWgFEPJNP3H0Es3I2XrhpfmA1rQgZ
jXwBdhbIfYeGjFXphgOOE4wKmjAgbVvQi5kCrJjBqNikRrtKfuTQzYsePw7GQep0
QLrbPl94hCDjbhr0Hj+nOdt9/Hrizbue1QaD6wDAnYQpHvdrn4hld4WICvBhxlwh
J8ZqRRk9mx76k8hnoOJX4jr/gBhLLkWeAW2k1MfRm8gTVrmbdGjRx+dm5baU4N8U
INZV6m8K6otOQbf3zLR7JeCRFdvj3eHJxD5xmro1cf4NLXxoG4sGsYtrRx7gOMl/
PqlzzqDnDoE5FhxWlYV8fglalwuJ5QNnOP9DyMOySVytF1Ug7EsZ9ZtxF1n3pHmE
myLVJ8bKSUO/5OLzHc+9rBaHC5wdQXt8hKysIomCQCisgTwev0DwIbyDVZ8LigS2
Z0UqQugXsN1Xl1MpOSW7tGXoU+nETcPCk/wRuDyQeMCrGd8AOjg1AYv/Sxr0dDek
mUcmytNHkFeKhVx+jU1KiiYyTFhLNSeK1nOch1DrcvI6DJYXwlI=
=z/M1
—–END PGP SIGNATURE—–


