CVE-2026-6366
Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002
CVSS Score
6.6
EPSS Score
0.0%
EPSS Percentile
0th
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
| CWE | CWE-915 |
| Vendor | drupal |
| Product | drupal core |
| Ecosystems | |
| Industries | WebMedia |
| Published | May 19, 2026 |
| Last Updated | May 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for drupal drupal core
Be the first to know when new medium vulnerabilities affecting drupal drupal core are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
Affected Versions
Drupal / Drupal core
8.0.0 < 10.5.9 10.6.0 < 10.6.7 11.0.0 < 11.2.11 11.3.0 < 11.3.7
Credits
Truong Le (hswww) menon t-chen Benji Fisher (benjifisher) cilefen (cilefen) Neil Drumm (drumm) Greg Knaddison (greggles) Lee Rowlands (larowlan) Dave Long (longwave) Drew Webber (mcdruid) Ra MΓΒ€nd (ram4nd) Jess (xjm) Greg Knaddison (greggles) Lee Rowlands (larowlan) Dave Long (longwave) Drew Webber (mcdruid) Juraj Nemec (poker10) Jess (xjm)