Object Injection Vulnerability in Drupal Core
CVE-2026-55804

Currently unrated

Key Information:

Vendor

Drupal

Vendor
CVE Published:
10 July 2026

What is CVE-2026-55804?

This vulnerability in Drupal core arises from a lack of proper controls in the modification of dynamically-determined object attributes, allowing for potential object injection. Attackers exploiting this vulnerability could manipulate object attributes in unforeseen ways, potentially leading to additional security issues within applications built on affected versions of Drupal core.

Affected Version(s)

Drupal core 0.0.0 < 10.5.12

Drupal core 10.6.0 < 10.6.11

Drupal core 11.2.0 < 11.2.14

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michael Maturi (michaelmaturi)
Lee Rowlands (larowlan)
Drew Webber (mcdruid)
Mohit Aghera (mohit_aghera)
Anna Kalata (akalata)
Benji Fisher (benjifisher)
cilefen (cilefen)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Jess (xjm)
.