Drupal Security | Develop Site

Subscribe to Drupal Security Feed
Aktualisiert: vor 24 Minuten 22 Sekunden

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-012

Mi, 07/15/2026 - 21:52
Project: Drupal coreDate: 2026-July-15Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingAffected versions: <10.6.13 || >=11.3.0 <11.3.14 || >=11.4.0 <11.4.4 || 11.0.* || 11.1.* || 11.2.*CVE IDs: CVE-2026-55805Description: 

The Layout Builder module doesn't sufficiently sanitize block labels in certain scenarios, which can lead to a cross-site scripting (XSS) vulnerability.

This is mitigated by the fact that both the attacker and the targeted user need to be using the Layout Builder editing interface.

Solution: 

Install the latest version:

Drupal 11

  • If you use Drupal 11.4.x, update to Drupal 11.4.4.
  • If you use Drupal 11.3.x, update to Drupal 11.3.14.
  • Drupal 11.2.x and below are end-of-life and do not receive security coverage.

Drupal 10

  • If you use Drupal 10.6.x, update to Drupal 10.6.13.
  • Drupal 10.5.x and below are end-of-life and do not receive security coverage.

Drupal 8 and Drupal 9 have both reached end-of-life.

Reported By: Fixed By: Coordinated By: 
Kategorien: Drupal

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-011

Mi, 07/15/2026 - 21:51
Project: Drupal coreDate: 2026-July-15Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site scriptingAffected versions: >=11.3.0 <11.3.14 || >=11.4.0 <11.4.4 || 11.2.*CVE IDs: CVE-2026-15917Description: 

Drupal core 11.2 and above integrate the HTMX JavaScript library.

Drupal core's XSS filter does not sufficiently sanitize certain HTMX attributes, which can lead to a cross-site scripting (XSS) vulnerability.

The vulnerability is mitigated by the fact an attacker must be able to insert HTML with specific attributes.

Solution: 

Install the latest version:

Drupal 11

  • If you use Drupal 11.4.x, update to Drupal 11.4.4.
  • If you use Drupal 11.3.x, update to Drupal 11.3.14.
  • Drupal 11.2.x and below are end-of-life and do not receive security coverage.

Drupal 10

  • Drupal 10 core is not affected. However, certain contributed modules may be affected, so a Drupal 10.6 fix is included as hardening.

Drupal 8 and Drupal 9 have both reached end-of-life.

Reported By: Fixed By: Coordinated By: 
Kategorien: Drupal

Drupal core - Moderately critical - Information disclosure - SA-CORE-2026-010

Mi, 07/15/2026 - 21:50
Project: Drupal coreDate: 2026-July-15Security risk: Moderately critical 10 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information disclosureAffected versions: <10.6.13 || >=11.3.0 <11.3.14 || >=11.4.0 <11.4.4 || 11.0.* || 11.1.* || 11.2.*CVE IDs: CVE-2026-15916Description: 

The Image module allows you to define and configure image fields.

The module doesn't sufficiently check access to image style derivatives when those files are served via a file stream other than private://.

This vulnerability is mitigated by the fact that Drupal must be configured to use a contributed (non-core) file scheme to serve private derived images.

Information disclosure issues like this one are not generally given security advisories (as described in PSA-2023-07-12)). This fix is provided as a hardening. Contributed modules implementing custom stream wrappers may need to add similar hardenings.

Solution: 

Install the latest version:

Drupal 11

  • If you use Drupal 11.4.x, update to Drupal 11.4.4.
  • If you use Drupal 11.3.x, update to Drupal 11.3.14.
  • Drupal 11.2.x and below are end-of-life and do not receive security coverage.

Drupal 10

  • If you use Drupal 10.6.x, update to Drupal 10.6.13.
  • Drupal 10.5.x and below are end-of-life and do not receive security coverage.

Drupal 8 and Drupal 9 have both reached end-of-life.

Reported By: Fixed By: Coordinated By: 
Kategorien: Drupal