—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Drupal

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Drupal Core versions from 8.0.0 to prior to 10.5.9

Drupal Core versions from 10.6.0 to prior to 10.6.7

Drupal Core versions from 11.0.0 to prior to 11.2.11

Drupal Core versions from 11.3.0 to prior to 11.3.7

Overview

Multiple vulnerabilities have been reported in Drupal core which could allow an attacker to disclose sensitive information, escalate privileges, execute remote code and perform Cross-site Scripting (XSS) attacks on the targeted system.

Target Audience:

Individuals and end-user organizations using Drupal.

Risk Assessment:

High risk of unauthorized access, privilege escalation, persistent cross-site scripting (XSS), and account takeover.

Impact Assessment:

Potential for account compromise, data exposure, unauthorized access, execute remote code and gain elevated privileges.

Description

Drupal is an open-source, content management system (CMS) which allows individuals and organizations to create, manage and maintain websites and web applications.

These vulnerabilities exist in a Drupal core due to insufficient sanitization of user-supplied data in jQuery integration for AJAX modal dialog boxes and gadget chain issue. An attacker could exploit these vulnerabilities by sending specially crafted inputs.

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, escalate privileges, execute remote code and perform Cross-site Scripting (XSS) attacks on the targeted system.

Note: Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and all prior releases have reached end-of-life and no longer receive security support. Drupal 8 and Drupal 9 have also reached end-of-life.

Solution

Upgrade to the latest versions as mentioned in the security advisories:

https://www.drupal.org/sa-contrib-2026-001

https://www.drupal.org/sa-core-2026-002

https://www.drupal.org/sa-core-2026-003

Vendor Information

Drupal

https://www.drupal.org

References

Drupal

https://www.drupal.org/sa-contrib-2026-001

https://www.drupal.org/sa-core-2026-002

https://www.drupal.org/sa-core-2026-003

CVE Name

CVE-2026-6365

CVE-2026-6366

CVE-2026-6367

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmnqJJsACgkQ3jCgcSdc

ys9QEQ/8CE6h+v8gy/YWHq18kdbkkzeKdb7GpfcvObuYwJ+ESqZ59zsreuTuiIlb

v1d7kxEPQXe97P9PU78u1i5ZA1seLqDf8NDrOK8rf96nESTeNwph3oshm9ATBtJ3

kIZIlGyf1bA5YIBmA0ihG14+6zt32Io6645OfCAtEWz8jA53yNh9n79yOd9DQ1rW

H9hkH1o1nnZtRN/N1EOBX6Ws0VFwvZBnvc1XhaXfuHVwRiUqkcXj8F0SZwJETdFO

CfgduS7xR9hJJVOHZUslcwWioTYnHzkvetofRX9aTDvPTtYtThIDc8s/nsYqKKT/

0+94DQvBGS5e/YgKuIMPZJ/z4behdXKKF/cBPJdbIIjpzR58UP+9pcJ8yqcP6fD0

0DfAzGGq6qlZfJHDScv17vnSVeSdOUkaG3XBh85Ky8n6AI9Vy95gHtntdI/ISSPu

3Vt/UNyGY+vngbQGPu25AN4l1A0dW4fAnx0NIAAU5SKeGrLWa8rNJxqxi0b41LeS

3NH5UPuD6M+AKQfX/u+Y1gcNsC14rU3YcJwgghf74yu31f4vdAPgxiCikzkZLh1W

GTMHvCaLvCsTvOiFjA4iTLnaOYIbi1t+el+f2SD5LcEoIkbCNZW9c1rQGeRmAHC6

D/is7AJRVu4z3nVSA1RXw23vEJJ6pB6uIcxJIKQ2ChxpiS/8YGU=

=8zUX

—–END PGP SIGNATURE—–