Object Injection Vulnerability in Drupal Formatter Field Affects Multiple Versions
CVE-2026-12535

Currently unrated

Key Information:

Vendor

Drupal

Vendor
CVE Published:
10 July 2026

What is CVE-2026-12535?

The vulnerability in the Drupal Formatter Field arises from an improperly controlled modification of dynamically determined object attributes, leading to potential object injection. This flaw allows attackers to manipulate application behavior through crafted input, impacting versions from 0.0.0 to 2.0.0. It's critical for users and developers to secure their installations and monitor for potential exploits. Detailed guidance can be found in the Drupal security advisory.

Affected Version(s)

Formatter Field 0.0.0 < 2.0.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Drew Webber (mcdruid)
Kostia Bohach (_shy)
Benji Fisher (benjifisher)
Drew Webber (mcdruid)
Jess (xjm)
.