15 Apr 2026

feedDrupal.org aggregator

Security advisories: Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003

Project:
Drupal core
Date:
2026-April-15
Security risk:
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability:
Cross-site scripting
Affected versions:
>= 11.3.0 < 11.3.7
CVE IDs:
CVE-2026-6367
Description:

Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5.

The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user.

Solution:

Install the latest version:

  • If you use Drupal 11.3.x, update to Drupal 11.3.7
  • Drupal versions below 11.3 are not affected by this vulnerability
Reported By:
Fixed By:
Coordinated By:

15 Apr 2026 7:27pm GMT

Security advisories: Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002

Project:
Drupal core
Date:
2026-April-15
Security risk:
Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon
Vulnerability:
Gadget Chain
Affected versions:
>= 8.0.0 < 10.5.9 || >= 10.6.0 < 10.6.7 || >= 11.0.0 < 11.2.11 || >= 11.3.0 < 11.3.7
CVE IDs:
CVE-2026-6366
Description:

Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application deserializes untrusted data due to another vulnerability.

This issue is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

Solution:

Install the latest version:

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By:
Fixed By:
Coordinated By:

15 Apr 2026 7:25pm GMT

Security advisories: Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001

Project:
Drupal core
Date:
2026-April-15
Security risk:
Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability:
Cross-site scripting
Affected versions:
>= 8.0.0 < 10.5.9 || >= 10.6.0 < 10.6.7 || >= 11.0.0 < 11.2.11 || >= 11.3.0 < 11.3.7
CVE IDs:
CVE-2026-6365
Description:

Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting (XSS) vulnerability.

Solution:

Install the latest version:

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By:
Fixed By:
Coordinated By:

15 Apr 2026 7:24pm GMT

14 Apr 2026

feedSymfony Blog

Symfony_Live Berlin: "Build Applications that Welcome Change"

We're excited to announce that SymfonyLive Berlin 2026 will take place April 23-24, 2026 at CineStar CUBIX Alexanderplatz, right in the heart of Berlin, directly on Alexanderplatz and easily accessible by public transport. 🎤 New talk announcement!…

14 Apr 2026 2:20pm GMT

SymfonyLive Berlin 2026: "Specing out teamwork”

We're excited to announce that SymfonyLive Berlin 2026 will take place April 23-24, 2026 at CineStar CUBIX Alexanderplatz, right in the heart of Berlin, directly on Alexanderplatz and easily accessible by public transport. 🎤 New talk at SymfonyLive…

14 Apr 2026 12:54pm GMT

13 Apr 2026

feedSymfony Blog

Symfony UX 3.0.0 Released

Symfony UX 3.0 is a new major release. Following Symfony's release process, this version removes all features deprecated during the 2.x cycle and raises the minimum requirements to PHP 8.4 and Symfony 7.4. If your application runs without deprecation notices…

13 Apr 2026 7:44pm GMT