CVEFinder.io

CVE-2026-6367

🔶 medium
🔍 Scan for this CVE
Summary

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7.

CVSS Score
6.1
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-19
First Seen: 2026-05-20
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 38.9% of all 327,306 vulnerabilities in our database.

#200,025
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 20, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
🏆 Discovered By
cantina_security Dries Buytaert (dries) Shirsendu Mondal Lee Rowlands (larowlan) (remediation developer) Drew Webber (mcdruid) (remediation developer) Mingsong (mingsong) (remediation developer) Damien McKenna (damienmckenna) (coordinator) Greg Knaddison (greggles) (coordinator) Lee Rowlands (larowlan) (coordinator) Juraj Nemec (poker10) (coordinator) Jess (xjm) (coordinator)
SSVC data provided by CISA
Last Modified 2026-05-20
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE IDs (Weakness Types)
CWE-79

📦 Affected Products 1

Vendor Product Status Affected Versions
drupal drupal Affected
> 11.3.0 < 11.3.7

🔗 References 1

https://www.drupal.org/sa-core-2026-003
Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-9082 ⛔ critical 9.8 34.2 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core... 2026-05-20
CVE-2026-6365 🔶 medium 6.1 0.0 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core... 2026-05-19
CVE-2026-6366 🔶 medium 6.6 0.1 Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow... 2026-05-19
CVE-2025-13080 🔶 medium 5.3 0.1 Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This i... 2025-11-18
CVE-2025-13081 🔶 medium 5.9 0.2 Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow... 2025-11-18
CVE-2025-13082 🔶 medium 4.3 0.1 User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofin... 2025-11-18
These CVEs affect the same products