Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN388 _____________________________________________________________________ DATE : 16/04/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Drupal core versions prior to 10.5.9, 10.6.7, 11.2.11, 11.3.7. ===================================================================== https://www.drupal.org/sa-core-2026-001 https://www.drupal.org/sa-core-2026-002 https://www.drupal.org/sa-core-2026-003 _____________________________________________________________________ Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001 Project: Drupal core Date: 2026-April-15 Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Cross-site scripting Affected versions: >= 8.0.0 < 10.5.9 || >= 10.6.0 < 10.6.7 || >= 11.0.0 < 11.2.11 || >= 11.3.0 < 11.3.7 CVE IDs: CVE-2026-6365 Description: Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting (XSS) vulnerability. Solution: Install the latest version: If you use Drupal 10.5.x, update to Drupal 10.5.9. If you use Drupal 10.6.x, update to Drupal 10.6.7. If you use Drupal 11.2.x, update to Drupal 11.2.11. If you use Drupal 11.3.x, update to Drupal 11.3.7. Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: Murat Kekiç (murat_kekic) Fixed By: Anna Kalata (akalata) of the Drupal Security Team Benji Fisher (benjifisher) of the Drupal Security Team Neil Drumm (drumm) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Michael Hess (mlhess) of the Drupal Security Team James Gilliland (neclimdul) of the Drupal Security Team Joseph Zhao (pandaski) of the Drupal Security Team Juraj Nemec (poker10) of the Drupal Security Team Ra Mänd (ram4nd), provisional member of the Drupal Security Team Jess (xjm) of the Drupal Security Team Coordinated By: Greg Knaddison (greggles) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Pierre Rudloff (prudloff) of the Drupal Security Team Jess (xjm) of the Drupal Security Team _____________________________________________________________________ Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002 Project: Drupal core Date: 2026-April-15 Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon Vulnerability: Gadget Chain Affected versions: >= 8.0.0 < 10.5.9 || >= 10.6.0 < 10.6.7 || >= 11.0.0 < 11.2.11 || >= 11.3.0 < 11.3.7 CVE IDs: CVE-2026-6366 Description: Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application deserializes untrusted data due to another vulnerability. This issue is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core. Solution: Install the latest version: If you use Drupal 10.5.x, update to Drupal 10.5.9. If you use Drupal 10.6.x, update to Drupal 10.6.7. If you use Drupal 11.2.x, update to Drupal 11.2.11. If you use Drupal 11.3.x, update to Drupal 11.3.7. Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: Truong Le (hswww) menon t-chen Fixed By: Benji Fisher (benjifisher) of the Drupal Security Team cilefen (cilefen) of the Drupal Security Team Neil Drumm (drumm) of the Drupal Security Team Greg Knaddison (greggles) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Dave Long (longwave) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team Ra Mänd (ram4nd), provisional member of the Drupal Security Team Jess (xjm) of the Drupal Security Team Coordinated By: Greg Knaddison (greggles) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Dave Long (longwave) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team Juraj Nemec (poker10) of the Drupal Security Team Jess (xjm) of the Drupal Security Team _____________________________________________________________________ Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003 Project: Drupal core Date: 2026-April-15 Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Cross-site scripting Affected versions: >= 11.3.0 < 11.3.7 CVE IDs: CVE-2026-6367 Description: Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5. The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user. Solution: Install the latest version: If you use Drupal 11.3.x, update to Drupal 11.3.7 Drupal versions below 11.3 are not affected by this vulnerability Reported By: cantina_security Dries Buytaert (dries) Shirsendu Mondal Fixed By: Lee Rowlands (larowlan) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team Mingsong (mingsong), provisional member of the Drupal Security Team Coordinated By: Damien McKenna (damienmckenna) of the Drupal Security Team Greg Knaddison (greggles) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Juraj Nemec (poker10) of the Drupal Security Team Jess (xjm) of the Drupal Security Team ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================