Object Injection Vulnerability in Drupal Core by Drupal
CVE-2026-55803

Currently unrated

Key Information:

Vendor

Drupal

Vendor
CVE Published:
10 July 2026

What is CVE-2026-55803?

An object injection vulnerability exists in the Drupal core, allowing attackers to exploit improperly controlled modifications of dynamically-determined object attributes. This flaw could lead to potential malicious activities, impacting the integrity and security of Drupal-based websites. Affected versions include multiple releases, emphasizing the importance of keeping the system updated to mitigate such risks.

Affected Version(s)

Drupal core 0.0.0 < 10.5.12

Drupal core 10.6.0 < 10.6.11

Drupal core 11.2.0 < 11.2.14

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michael Maturi (michaelmaturi)
Björn Brala (bbrala)
Sascha Grossenbacher (berdir)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Anna Kalata (akalata)
Benji Fisher (benjifisher)
Damien McKenna (damienmckenna)
David Strauss (david strauss)
Neil Drumm (drumm)
Greg Knaddison (greggles)
Tim Hestenes Lehnen (hestenet)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Ra Mänd (ram4nd)
Jess (xjm)
.