Date:
Wednesday, Apr 22nd, 2026
Advisory ID:
BACKDROP-SA-CORE-2026-001
Security risk:
Critical
Vulnerability:
Cross Site Scripting
Versions affected:
- Backdrop Core 1.33.x versions prior to 1.33.2
- Backdrop Core 1.32.x versions prior to 1.32.3
Backdrop versions 1.31 and prior do not receive security coverage.
Description:
Backdrop core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which can lead to a cross-site scripting (XSS) vulnerability.
Solution:
Upgrade your site to the most recent version of Backdrop core. Download the latest release from the Backdrop CMS Releases or use the built-in updater to self-update. See the update instructions, if needed.
Reported By:
Fixed By:
- Anna Kalata (akalata) of the Drupal Security Team
- Benji Fisher (benjifisher) of the Drupal Security Team
- Neil Drumm (drumm) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Michael Hess (mlhess) of the Drupal Security Team
- James Gilliland (neclimdul) of the Drupal Security Team
- Joseph Zhao (pandaski) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Ra Mänd (ram4nd), provisional member of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
- Nate Lampton of the Backdrop CMS Security Team
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Pierre Rudloff (prudloff) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
- Nate Lampton of the Backdrop CMS Security Team
- Jen Lampton of the Backdrop CMS Security Team