CVE-2026-55803 PUBLISHED

Drupal core - Critical - PHP object injection - SA-CORE-2026-005

Assigner: drupal
Reserved: 17.06.2026 Published: 10.07.2026 Updated: 10.07.2026

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0., from 0.0.0 to 11.1..

Product Status

Vendor Drupal
Product Drupal core
Versions
  • affected from 0.0.0 to 10.5.12 (excl.)
  • affected from 10.6.0 to 10.6.11 (excl.)
  • affected from 11.2.0 to 11.2.14 (excl.)
  • affected from 11.3.0 to 11.3.12 (excl.)
  • affected from 0.0.0 to 11.0.* (excl.)
  • affected from 0.0.0 to 11.1.* (excl.)

Credits

  • Michael Maturi (michaelmaturi) finder
  • Björn Brala (bbrala) remediation developer
  • Sascha Grossenbacher (berdir) remediation developer
  • Lee Rowlands (larowlan) remediation developer
  • Dave Long (longwave) remediation developer
  • Drew Webber (mcdruid) remediation developer
  • Anna Kalata (akalata) coordinator
  • Benji Fisher (benjifisher) coordinator
  • Damien McKenna (damienmckenna) coordinator
  • David Strauss (david strauss) coordinator
  • Neil Drumm (drumm) coordinator
  • Greg Knaddison (greggles) coordinator
  • Tim Hestenes Lehnen (hestenet) coordinator
  • Lee Rowlands (larowlan) coordinator
  • Dave Long (longwave) coordinator
  • Drew Webber (mcdruid) coordinator
  • Juraj Nemec (poker10) coordinator
  • Ra Mänd (ram4nd) coordinator
  • Jess (xjm) coordinator

References

Problem Types

  • CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes CWE

Impacts

  • CAPEC-586 Object Injection