Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network, unauthenticated, no interaction with total impact, but AC:H because PHP object injection needs a viable gadget chain and CISA rates it not automatable.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Formatter Field allows Object Injection. This issue affects Formatter Field versions: from 0.0.0 to 2.0.0.
AnalysisAI
Object injection in the Drupal Formatter Field contributed module (all versions from 0.0.0 up to but not including 2.0.0) allows remote unauthenticated attackers to improperly modify dynamically-determined object attributes, potentially leading to arbitrary code execution or full site compromise. The flaw carries a CVSS 9.8 rating, but with no public exploit identified and a low EPSS probability (0.17%, 7th percentile), and SSVC currently rates exploitation as 'none'. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the vulnerable Formatter Field module (version below 2.0.0) be installed and enabled on the target Drupal site, and that a request reach the field-formatting code path that improperly handles object attribute modification / deserialization. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals here are notably in tension. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a crafted HTTP request containing a malicious serialized PHP object to a Drupal site running a vulnerable Formatter Field version, where it is deserialized or used to set object attributes without validation. If a suitable gadget chain is present in the site's loaded code, the injected object triggers unintended method execution during its lifecycle, potentially yielding remote code execution or data compromise. … |
| Remediation | Upgrade the Formatter Field module to version 2.0.0 or later, which is the first fixed release (the advisory notes the vulnerable range is 0.0.0 up to but not including 2.0.0); a patch is confirmed available per Drupal advisory SA-CONTRIB-2026-048 at https://www.drupal.org/sa-contrib-2026-048. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all Drupal instances running the Formatter Field module and document their current versions to establish scope of affected systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43051
GHSA-qc2r-2xxp-m58x