PatchSiren cyber security CVE debrief
CVE-2026-6365 Drupal CVE debrief
CVE-2026-6365 is a Drupal core cross-site scripting (XSS) vulnerability (CWE-79) disclosed in the official NVD record and linked vendor advisory. NVD rates it CVSS 6.1/Medium, with network attack vector, low complexity, no privileges required, and user interaction required. Affected Drupal core versions include 8.0.0 before 10.5.9, 10.6.0 before 10.6.7, 11.0.0 before 11.2.11, and 11.3.0 before 11.3.7.
- Vendor
- Drupal
- Product
- Drupal core
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Organizations running Drupal core, especially site operators, CMS administrators, security teams, and developers responsible for patching public-facing Drupal deployments.
Technical summary
The issue is identified as improper neutralization of input during web page generation, resulting in XSS. The NVD record lists CWE-79 and a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a remotely reachable issue that depends on user interaction and can affect confidentiality and integrity. The vulnerable version ranges are explicitly defined in the NVD metadata for Drupal core.
Defensive priority
Moderate-to-high. The CVSS score is medium, but the vulnerability is in core, affects multiple maintained release lines, and can impact users through XSS if they interact with malicious content or crafted input. Patch planning should be prioritized for internet-facing or admin-accessible Drupal sites.
Recommended defensive actions
- Upgrade Drupal core to a fixed release that is outside the affected version ranges listed by NVD and the vendor advisory.
- Review the Drupal security advisory at the official vendor URL for any release-specific remediation guidance.
- Inventory all Drupal core installations and confirm which version line each instance uses before scheduling updates.
- Treat exposed administrative or content-editing accounts as higher priority targets for patching and validation.
- After updating, verify that the site renders user-supplied and dynamically generated content as expected and monitor for signs of script injection abuse.
Evidence notes
This debrief is based only on the supplied official sources: the NVD CVE record, the NVD API source item, and the linked Drupal security advisory reference. The published time used here is the CVE publication timestamp provided in the corpus (2026-05-19T23:16:58.103Z), and the modified time is 2026-05-20T22:59:58.117Z. No exploit details beyond the official CWE/CVSS and affected-version metadata were used.
Official resources
-
CVE-2026-6365 CVE record
CVE.org
-
CVE-2026-6365 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed in the CVE/NVD record on 2026-05-19 and updated in NVD on 2026-05-20; the vendor advisory is referenced at the official Drupal security notice URL.