Object Injection Vulnerability in Drupal Core by Drupal
CVE-2026-6366

6.6MEDIUM

Key Information:

Vendor: Drupal
Status: Drupal Core
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-6366?

A vulnerability in Drupal core allows for improper control over the modification of dynamically-determined object attributes, potentially leading to object injection attacks. This may allow attackers to manipulate objects and execute unauthorized commands or access sensitive data. Affected versions span across multiple major releases, highlighting the importance of upgrading to secure versions to mitigate this risk.

Affected Version(s)

Drupal core 8.0.0 < 10.5.9

Drupal core 10.6.0 < 10.6.7

Drupal core 11.0.0 < 11.2.11

References

https://www.drupal.org/sa-core-2026-002

CVSS V3.1

Score:

6.6

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Truong Le (hswww)

menon

t-chen

Benji Fisher (benjifisher)

cilefen (cilefen)

Neil Drumm (drumm)

Greg Knaddison (greggles)

Lee Rowlands (larowlan)

Dave Long (longwave)

Drew Webber (mcdruid)

Ra MÃ¤nd (ram4nd)

Jess (xjm)

Greg Knaddison (greggles)

Lee Rowlands (larowlan)

Dave Long (longwave)

Drew Webber (mcdruid)

Juraj Nemec (poker10)

Jess (xjm)

CVE-2026-6366 Data

JSON