VDB
KO

DRUPAL-CORE-2026-012

Details

The Layout Builder module doesn't sufficiently sanitize block labels in certain scenarios, which can lead to a cross-site scripting (XSS) vulnerability.

This is mitigated by the fact that both the attacker and the targeted user need to be using the Layout Builder editing interface.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / drupal/core
Introduced in: 0 Fixed in: 10.6.13
Fix composer require drupal/core:^10.6.13

References