CVE-2026-6367 Overview
CVE-2026-6367 is a Cross-Site Scripting (XSS) vulnerability in Drupal core that stems from improper neutralization of input during web page generation [CWE-79]. The flaw affects Drupal core versions from 11.3.0 before 11.3.7. An attacker can craft malicious input that the application renders without proper sanitization, causing arbitrary script execution in a victim's browser when the victim interacts with the malicious content.
The vulnerability requires user interaction and operates over the network with low attack complexity. Successful exploitation impacts confidentiality and integrity within the browser context, enabling session theft, content manipulation, or redirection to attacker-controlled resources.
Critical Impact
Attackers can execute arbitrary JavaScript in victim browsers, leading to session hijacking, credential theft, and unauthorized actions performed under the victim's authenticated Drupal session.
Affected Products
- Drupal core 11.3.0 through versions before 11.3.7
- Sites running affected Drupal core releases with content submission or rendering features exposed
- Web applications built on the impacted Drupal core branch
Discovery Timeline
- 2026-05-19 - CVE-2026-6367 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-6367
Vulnerability Analysis
The vulnerability is a stored or reflected Cross-Site Scripting (XSS) issue classified under [CWE-79]. Drupal core fails to neutralize user-supplied input before embedding it in generated web pages. An attacker submits crafted input containing HTML or JavaScript payloads. When the application renders the input, the payload executes in the browser of any user viewing the affected page.
The scope is changed, meaning the vulnerable component can affect resources beyond its security authority. This typically occurs when injected scripts run within an authenticated user's session context, allowing actions on behalf of that user. The attack requires user interaction, such as clicking a link or visiting a page containing the malicious payload.
Root Cause
The root cause is missing or incomplete output encoding when Drupal core renders user-controlled data into HTML responses. Specific input fields or rendering paths in the affected versions do not apply appropriate context-aware escaping. Untrusted data flows into the DOM and is interpreted as executable script rather than inert text content.
Attack Vector
An attacker delivers a crafted payload through a network-accessible input field or URL parameter handled by Drupal. The application stores or reflects the payload in a rendered page. A victim with privileges to view the affected content triggers script execution by visiting the page. The injected script runs with the privileges of the victim within the Drupal application origin.
No verified public exploit code is available at this time. Refer to the Drupal Security Advisory for vendor-supplied technical details.
Detection Methods for CVE-2026-6367
Indicators of Compromise
- Unexpected <script> tags, javascript: URIs, or event handlers such as onerror= and onload= within stored Drupal content fields
- Outbound browser requests from authenticated Drupal sessions to unknown external domains shortly after page loads
- Anomalous session activity, including administrative actions originating from non-administrative user contexts
Detection Strategies
- Review Drupal database content tables for HTML or JavaScript patterns inside fields that should contain plain text
- Inspect web server access logs for requests containing encoded XSS payloads such as %3Cscript%3E or onerror=
- Enable and monitor Content Security Policy (CSP) violation reports to capture inline script execution attempts
Monitoring Recommendations
- Aggregate Drupal application and web server logs into a centralized analytics platform for correlation
- Establish baselines for typical content submission patterns and alert on deviations involving HTML tag injection
- Monitor administrative account behavior for unauthorized configuration changes following content interactions
How to Mitigate CVE-2026-6367
Immediate Actions Required
- Upgrade Drupal core to version 11.3.7 or later as soon as possible
- Audit recent content submissions and user-generated fields for embedded scripts or suspicious markup
- Rotate session keys and require re-authentication for privileged users if compromise is suspected
Patch Information
Drupal released a fixed version 11.3.7 addressing CVE-2026-6367. Administrators should apply the update following the guidance in the Drupal Security Advisory SA-CORE-2026-003. Verify the installed version after upgrade and review changelog entries for related security fixes.
Workarounds
- Restrict permissions for untrusted users to limit access to content creation and editing features
- Deploy a Web Application Firewall (WAF) with rules to filter common XSS payload patterns in request parameters
- Implement a strict Content Security Policy (CSP) header to limit inline script execution and external script sources
# Verify Drupal core version after applying the patch
drush status --field=drupal-version
# Example restrictive Content Security Policy header (Apache)
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
