{"id":"DRUPAL-CORE-2026-003","details":"Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5.\n\nThe suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user.","aliases":["CVE-2026-6367"],"modified":"2026-04-15T19:46:39.835222Z","published":"2026-04-15T19:27:21Z","references":[{"type":"WEB","url":"https://www.drupal.org/sa-core-2026-003"}],"affected":[{"package":{"name":"drupal/core","ecosystem":"Packagist","purl":"pkg:composer/drupal/core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11.3.0"},{"fixed":"11.3.7"}],"database_specific":{"constraint":"\u003e= 11.3.0 \u003c 11.3.7"}}],"versions":["11.3.0","11.3.1","11.3.2","11.3.3","11.3.4","11.3.5","11.3.6"],"database_specific":{"source":"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2026-003.json","affected_versions":"\u003e= 11.3.0 \u003c 11.3.7"}}],"schema_version":"1.7.5","credits":[{"name":"Dries Buytaert (dries)","contact":["https://www.drupal.org/u/dries"]},{"name":"Shirsendu Mondal","contact":["https://www.drupal.org/u/shirsendu-mondal"]},{"name":"cantina_security","contact":["https://www.drupal.org/u/cantina_security"]}]}