Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application deserializes untrusted data due to another vulnerability. This issue is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

According to its self-reported version number, the detected Drupal application is affected by multiple vulnerabilities:

 - Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which can lead to a Cross-Site Scripting (XSS) vulnerability.

 - Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This "gadget chain" can be used to achieve remote code execution or SQL injection if the application deserializes untrusted data due to another vulnerability.

 - Drupal 11.3 includes support for completing entity suggestions when adding a link to CKEditor 5. These suggestions are not sufficiently sanitized, allowing a malicious user to trigger a stored Cross-Site Scripting (XSS) attack against other users.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the instance of Drupal running on the remote web server is 10.5.x prior to 10.5.9, 10.6.x prior to 10.6.7, 11.2.x prior to 11.2.11, or 11.3.x prior to 11.3.7. It is, therefore, affected by multiple vulnerabilities.

  - Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain     options, which which can lead to a cross-site scripting (XSS) vulnerability. (CVE-2026-6365)

  - Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5. The     suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting     attack against another user. (CVE-2026-6367)

  - Drupal core contains a chain of methods that could be exploitable when an insecure deserialization     vulnerability exists on the site. This so-called gadget chain presents no direct threat, but is a vector     that can be used to achieve remote code execution or SQL injection if the application deserializes     untrusted data due to another vulnerability. This issue is not directly exploitable. This issue is     mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to     allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.
    (CVE-2026-6366)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
115225	Drupal 10.5.x < 10.5.9 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
115224	Drupal 10.6.x < 10.6.7 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
115223	Drupal 11.2.x < 11.2.11 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
115222	Drupal 11.3.x < 11.3.7 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
306602	Drupal 10.5.x < 10.5.9 / 10.6.x < 10.6.7 / 11.2.x < 11.2.11 / 11.3.x < 11.3.7 Multiple Vulnerabilities (drupal-2026-04-15)	Nessus	CGI abuses	medium

Detections

Analytics

CVE-2026-6366

critical

Tenable Plugins

critical

critical

critical

critical

medium