{"id":"CVE-2026-55808","summary":"Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009","details":"Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.","aliases":["DRUPAL-CORE-2026-009"],"modified":"2026-07-16T03:31:07.563687149Z","published":"2026-07-10T21:46:43.600Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55808.json","cna_assigner":"drupal","cwe_ids":["CWE-79"]},"references":[{"type":"WEB","url":"https://git.drupalcode.org/project/drupal"},{"type":"WEB","url":"https://www.drupal.org/project/drupal"},{"type":"WEB","url":"https://www.drupal.org/sa-core-2026-009"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55808.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55808"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.drupalcode.org/project/drupal","events":[{"introduced":"0"},{"fixed":"aa50cd50d157c4f8c67d08bb81b600c88fab5f3d"},{"fixed":"140f94ff1051644c4416c7ed30cc5dd1f14507b2"},{"fixed":"09d3d7fd4a638e3cc53eff60922765ad3af19c66"},{"introduced":"920f3f7ab87ba2cca9191ec292d356197de4bc0a"},{"fixed":"67d182d2206d154708773d56d0fed0627cf7a22c"},{"introduced":"338d58439d5b59d92ac9519ad81ffd916b673841"},{"fixed":"bea43c2292caaae5bbdd8eff9afbaacabfac2ff1"},{"introduced":"ac5da07ad88571dbb31dfb52f055bb0d4063f598"},{"fixed":"9b9e9b073cc79cfe537d15ef7240367c0586ae28"}],"database_specific":{"extracted_events":[{"introduced":"0.0.0"},{"fixed":"10.5.12"},{"fixed":"11.0.*"},{"fixed":"11.1.*"},{"introduced":"10.6.0"},{"fixed":"10.6.11"},{"introduced":"11.2.0"},{"fixed":"11.2.14"},{"introduced":"11.3.0"},{"fixed":"11.3.12"}],"source":"AFFECTED_FIELD"}}],"versions":["10.5.11","10.6.10","11.2.13","11.3.11","10.6.8","11.3.9","11.3.8","10.5.8","10.6.6","11.2.10","11.3.6","10.6.5","11.3.5","10.6.4","11.3.4","10.6.3","11.3.3","10.6.2","11.3.2","11.3.1","10.6.1","11.3.0","10.6.0","11.2.9","10.5.7","10.5.5","11.2.6","10.5.4","11.2.5","10.5.3","11.2.4","10.5.2","11.2.3","10.5.1","11.2.2","11.2.1","11.2.0","10.5.0","10.5.0-rc1","10.5.0-beta1","11.1.0-rc1","11.1.0-beta1","11.0.0-beta1","11.0.0-alpha1","10.1.0-alpha1","10.0.0-alpha5","10.0.0-alpha4","10.0.0-alpha3","10.0.0-alpha1","9.0.0-alpha2","9.0.0-alpha1","8.1.0-beta1","8.0.0","8.0.0-rc4","8.0.0-rc3","8.0.0-rc2","8.0.0-rc1","8.0.0-beta16","8.0.0-beta15","8.0.0-beta14","8.0.0-beta13","8.0.0-beta12","8.0.0-beta11","8.0.0-beta10","8.0.0-beta9","8.0.0-beta7","8.0.0-beta6","8.0.0-beta5","8.0.0-beta4","8.0.0-beta3","8.0.0-beta2","8.0.0-beta1","8.0.0-alpha15","8.0.0-alpha14","8.0-alpha13","8.0-alpha12","8.0-alpha11","8.0-alpha10","8.0-alpha9","8.0-alpha8","8.0-alpha7","8.0-alpha6","8.0-alpha5","8.0-alpha4","8.0-alpha3","8.0-alpha2","7.0","7.0-rc-4","7.0-rc-3","7.0-rc-2","7.0-rc-1","7.0-beta3","7.0-beta2","7.0-beta1","7.0-alpha7","7.0-alpha6","7.0-alpha5","7.0-alpha4","7.0-alpha3","7.0-alpha2","7.0-alpha1","7.0-unstable-10","7.0-unstable-7","7.0-unstable-6","7.0-unstable-5","7.0-unstable-4","7.0-unstable-3","7.0-unstable-2","7.0-unstable-1","6.0-rc-3","6.0-rc-2","6.0-rc-1","6.0-beta-4","6.0-beta-3","6.0-beta-2","6.0-beta-1","5.0-rc-2","5.0-rc-1","5.0-beta-2","5.0-beta-1","3.0.1","2.0","1.0","start"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55808.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}