Cross-site scripting vulnerability in Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.

Affected Packages

Packagist drupal/core

Affected versions: 8.8.0 (fixed in 8.8.10)

Packagist drupal/core

Affected versions: 8.9.0 (fixed in 8.9.6)

Packagist drupal/core

Affected versions: 9.0.0 (fixed in 9.0.6)

Related CVEs

CVE-2020-13688

Key Information

GHSA ID

GHSA-qf2g-mrrx-rr5p

Published

May 24, 2022 7:05 PM

Last Modified

April 23, 2024 10:30 PM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

drupal/core

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.