CVE-2026-55804
Drupal core - Moderately critical - Gadget chain - SA-CORE-2026-006
CVSS Score
5.9
EPSS Score
0.2%
EPSS Percentile
6th
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
| CWE | CWE-915 |
| Vendor | drupal |
| Product | drupal core |
| Ecosystems | |
| Industries | WebMedia |
| Published | Jul 10, 2026 |
| Last Updated | Jul 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for drupal drupal core
Be the first to know when new medium vulnerabilities affecting drupal drupal core are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Drupal / Drupal core
0.0.0 < 10.5.12 10.6.0 < 10.6.11 11.2.0 < 11.2.14 11.3.0 < 11.3.12 0.0.0 < 11.0.* 0.0.0 < 11.1.*
Credits
Michael Maturi (michaelmaturi) Lee Rowlands (larowlan) Drew Webber (mcdruid) Mohit Aghera (mohit_aghera) Anna Kalata (akalata) Benji Fisher (benjifisher) cilefen (cilefen) Greg Knaddison (greggles) Lee Rowlands (larowlan) Dave Long (longwave) Drew Webber (mcdruid) Juraj Nemec (poker10) Jess (xjm)