Server-Side Request Forgery in Drupal Core by Drupal
CVE-2026-55807

Currently unrated

Key Information:

Vendor

Drupal

Vendor
CVE Published:
10 July 2026

What is CVE-2026-55807?

A Server-Side Request Forgery vulnerability in Drupal Core allows attackers to manipulate server requests. This can lead to unintended information disclosure, exposing sensitive data or systems that should not be accessible externally. Implementing the latest security patches and updates is crucial for maintaining the integrity of your Drupal installation and protecting against potential exploits.

Affected Version(s)

Drupal core 0.0.0 < 10.5.12

Drupal core 10.6.0 < 10.6.11

Drupal core 11.2.0 < 11.2.14

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Hamed Kohi (0xhamy)
assaf alassaf (ama62)
Albert Skibinski (askibinski)
Jon Minder (ayalon)
Lautaro Casanova (betah4k)
Gabe Sullice (gabesullice)
John Morahan (john morahan)
Michael Winser (michaelwinser)
nbanderson
offensive-ai
Francesco Placella (plach)
quynh ho (qquynh)
Himanshu Anand (unknownhad)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Adam G-H (phenaproxima)
Sean Blommaert (seanb)
Benji Fisher (benjifisher)
cilefen (cilefen)
Damien McKenna (damienmckenna)
Mori Sugimoto (dokumori)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
James Gilliland (neclimdul)
Juraj Nemec (poker10)
Jess (xjm)
.