CVE-2026-55806 PUBLISHED

Drupal core - Less critical - Cache poisoning and open redirect - SA-CORE-2026-007

Assigner: drupal
Reserved: 17.06.2026 Published: 10.07.2026 Updated: 10.07.2026

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0., from 0.0.0 to 11.1..

Product Status

Vendor Drupal
Product Drupal core
Versions
  • affected from 0.0.0 to 10.5.12 (excl.)
  • affected from 10.6.0 to 10.6.11 (excl.)
  • affected from 11.2.0 to 11.2.14 (excl.)
  • affected from 11.3.0 to 11.3.12 (excl.)
  • affected from 0.0.0 to 11.0.* (excl.)
  • affected from 0.0.0 to 11.1.* (excl.)

Credits

  • Melih Acikoz finder
  • Michael Winser (michaelwinser) finder
  • Willem Drupal enthousiast (willempje2) finder
  • Lee Rowlands (larowlan) remediation developer
  • catch (catch) coordinator
  • cilefen (cilefen) coordinator
  • Greg Knaddison (greggles) coordinator
  • Lee Rowlands (larowlan) coordinator
  • Dave Long (longwave) coordinator
  • James Gilliland (neclimdul) coordinator
  • Juraj Nemec (poker10) coordinator
  • Jess (xjm) coordinator

References

Problem Types

  • CWE-601 URL Redirection to Untrusted Site ('Open Redirect') CWE

Impacts

  • CAPEC-148 Content Spoofing