Drupal has patched a Critical cross-site scripting (XSS) vulnerability in Drupal Core.
A remote attacker could exploit this vulnerability to compromise an affected system.
The Drupal update SA-CORE-2021-002 patches a Critical vulnerability where Drupal core’s sanitization API fails to properly filter cross-site scripting under certain circumstances. The issue affects Drupal 7, 8.9, 9.0 and 9.1.
Moreover, patches are not available for end-of-life versions of Drupal 8 prior to 8.9x.
There was no CVE assigned to this vulnerability at the time of advisory publication.