—
DRUPAL-CORE-2026-012
Details
The Layout Builder module doesn't sufficiently sanitize block labels in certain scenarios, which can lead to a cross-site scripting (XSS) vulnerability.
This is mitigated by the fact that both the attacker and the targeted user need to be using the Layout Builder editing interface.
Are you affected?
Enter the version of the package you're using.
Affected packages
Packagist / drupal/core
Introduced in:
0 Fixed in: 10.6.13 Fix
composer require drupal/core:^10.6.13