DRUPAL-CORE-2026-011

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2026-011.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CORE-2026-011
Aliases
  • CVE-2026-15917
Published
2026-07-15T19:51:57Z
Modified
2026-07-15T20:45:04.869803645Z
Summary
[none]
Details

Drupal core 11.2 and above integrate the HTMX JavaScript library.

Drupal core's XSS filter does not sufficiently sanitize certain HTMX attributes, which can lead to a cross-site scripting (XSS) vulnerability.

The vulnerability is mitigated by the fact an attacker must be able to insert HTML with specific attributes.

References
Credits

Affected packages

Packagist / drupal/core

Package

Name
drupal/core
Purl
pkg:composer/drupal/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.3.0
Fixed
11.3.14
Database specific
{
    "constraint": ">=11.3.0 <11.3.14"
}
Type
ECOSYSTEM
Events
Introduced
11.4.0
Fixed
11.4.4
Database specific
{
    "constraint": ">=11.4.0 <11.4.4"
}
Type
ECOSYSTEM
Events
Introduced
11.2.0
Fixed
11.3.0
Database specific
{
    "constraint": "11.2.*"
}

Affected versions

11.*
11.2.0
11.2.1
11.2.2
11.2.3
11.2.4
11.2.5
11.2.6
11.2.7
11.2.8
11.2.9
11.2.10
11.2.11
11.2.12
11.2.13
11.2.14
11.3.0-alpha1
11.3.0-beta1
11.3.0-rc1
11.3.0-rc2
11.3.0
11.3.1
11.3.2
11.3.3
11.3.4
11.3.5
11.3.6
11.3.7
11.3.8
11.3.9
11.3.10
11.3.11
11.3.12
11.3.13
11.4.0
11.4.1
11.4.2
11.4.3

Database specific

source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2026-011.json"
affected_versions
">=11.3.0 <11.3.14 || >=11.4.0 <11.4.4 || 11.2.*"