—
DRUPAL-CORE-2026-003
Details
Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5.
The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user.
Are you affected?
Enter the version of the package you're using.
Affected packages
Packagist / drupal/core
Introduced in:
11.3.0 Fixed in: 11.3.7 Fix
composer require drupal/core:^11.3.7