Show advisories for only Drupal Core, only contributed projects, or only PSAs

Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009

Date: 
2026-June-17
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2026-55808

The JSON:API and REST modules allow you to upload image files to image fields.

The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image.

Certain web-server configurations may serve the uploaded file with its actual MIME type rather than an image type. This may lead to cross-site scripting (XSS) or other unexpected behavior.

Drupal core - Moderately critical - Server-side request forgery - SA-CORE-2026-008

Date: 
2026-June-17
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-55807

The Media module comes with support for oEmbed. The oEmbed specification contains two discovery mechanisms, via providers.json and via URL discovery.

The URL discovery code could be leveraged to trick Drupal into making server-side requests to any URL.

Drupal core - Less critical - Cache poisoning and open redirect - SA-CORE-2026-007

Date: 
2026-June-17
Security risk: 
Less critical 9 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-55806

Drupal core ships a rebuild.php front controller that can be used to rebuild Drupal (clearing the caches and rebuilding the container) when the site is in an unexpected condition.

This script doesn't correctly check the Host header against the list of trusted host patterns. This could result in cache poisoning or a redirect to an attacker-controlled domain.

Drupal core - Moderately critical - Gadget chain - SA-CORE-2026-006

Date: 
2026-June-17
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2026-55804

Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application deserializes untrusted data due to another vulnerability.

This issue is not directly exploitable.

Drupal core - Critical - PHP object injection - SA-CORE-2026-005

Date: 
2026-June-17
Security risk: 
Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2026-55803

SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web services.

The above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain rare circumstances, potentially resulting in PHP Object Injection.

This vulnerability is mitigated by the fact that in order to be exploitable:

Plotly.js Graphing - Critical - PHP object injection - SA-CONTRIB-2026-050

Date: 
2026-June-17
Security risk: 
Critical 19 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-55810

The Plotly.js Graphing module provides a fully customizable implementation of the open source Plotly.js graphing library.

The module stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection vulnerability when the data are unserialized.

Flag attendance field - Critical - PHP object injection - SA-CONTRIB-2026-049

Date: 
2026-June-17
Security risk: 
Critical 19 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-55809

The Flag attendance field module gives you the ability to add attendance by depending on Flag module.

flag_attendance_field stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection vulnerability when the data are unserialized.

Formatter Field - Critical - PHP object injection - SA-CONTRIB-2026-048

Date: 
2026-June-17
Security risk: 
Critical 19 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-12535

The Formatter Field module provides a mechanism for specifying a formatter and formatter settings to be used for displaying a field, on a per-entity basis.

formatter_field stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an Object Injection vulnerability when the data are unserialized.

Brute force attack protection - Critical - Unsupported - SA-CONTRIB-2026-047

Date: 
2026-June-10
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-11915

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Composer - Critical - Unsupported - SA-CONTRIB-2026-046

Date: 
2026-June-10
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-11914

The security team is marking the Composer module for Drupal project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Pages

Subscribe with RSS Subscribe to Security advisories