Object Injection Vulnerability in Drupal Core
CVE-2026-55804
Currently unrated
What is CVE-2026-55804?
This vulnerability in Drupal core arises from a lack of proper controls in the modification of dynamically-determined object attributes, allowing for potential object injection. Attackers exploiting this vulnerability could manipulate object attributes in unforeseen ways, potentially leading to additional security issues within applications built on affected versions of Drupal core.
Affected Version(s)
Drupal core 0.0.0 < 10.5.12
Drupal core 10.6.0 < 10.6.11
Drupal core 11.2.0 < 11.2.14
References
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Michael Maturi (michaelmaturi)
Lee Rowlands (larowlan)
Drew Webber (mcdruid)
Mohit Aghera (mohit_aghera)
Anna Kalata (akalata)
Benji Fisher (benjifisher)
cilefen (cilefen)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Jess (xjm)
