CVE-2026-1556

UNKNOWN 0.0

Information disclosure via file URI overwrite in File (Field) Paths

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

13th

Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.

CWE	CWE-200
Vendor	drupal
Product	drupal file (field) paths
Ecosystems	PHP CMS
Industries	WebMedia
Published	Mar 26, 2026
Last Updated	Mar 27, 2026

Stay Ahead of the Next One

Get instant alerts for drupal drupal file (field) paths

Be the first to know when new unknown vulnerabilities affecting drupal drupal file (field) paths are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Drupal / Drupal File (Field) Paths

7.x-1.0 < 7.x-1.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

herodevs.com: https://www.herodevs.com/vulnerability-directory/cve-2026-1556 d7es.tag1.com: https://d7es.tag1.com/security-advisories/file-field-paths-moderately-critical-file-path-manipulation

Credits

Michael Hess (mlhess)