CVE-2026-55804 PUBLISHED

Drupal core - Moderately critical - Gadget chain - SA-CORE-2026-006

Assigner: drupal
Reserved: 17.06.2026 Published: 10.07.2026 Updated: 10.07.2026

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0., from 0.0.0 to 11.1..

Product Status

Vendor Drupal
Product Drupal core
Versions
  • affected from 0.0.0 to 10.5.12 (excl.)
  • affected from 10.6.0 to 10.6.11 (excl.)
  • affected from 11.2.0 to 11.2.14 (excl.)
  • affected from 11.3.0 to 11.3.12 (excl.)
  • affected from 0.0.0 to 11.0.* (excl.)
  • affected from 0.0.0 to 11.1.* (excl.)

Credits

  • Michael Maturi (michaelmaturi) finder
  • Lee Rowlands (larowlan) remediation developer
  • Drew Webber (mcdruid) remediation developer
  • Mohit Aghera (mohit_aghera) remediation developer
  • Anna Kalata (akalata) coordinator
  • Benji Fisher (benjifisher) coordinator
  • cilefen (cilefen) coordinator
  • Greg Knaddison (greggles) coordinator
  • Lee Rowlands (larowlan) coordinator
  • Dave Long (longwave) coordinator
  • Drew Webber (mcdruid) coordinator
  • Juraj Nemec (poker10) coordinator
  • Jess (xjm) coordinator

References

Problem Types

  • CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes CWE

Impacts

  • CAPEC-586 Object Injection