Skip to main content

Formatter Field CVE-2026-12535

| EUVDEUVD-2026-43051 CRITICAL
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-07-10 drupal GHSA-qc2r-2xxp-m58x
9.8
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network, unauthenticated, no interaction with total impact, but AC:H because PHP object injection needs a viable gadget chain and CISA rates it not automatable.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 13, 2026 - 21:15 vuln.today
CVSS changed
Jul 13, 2026 - 19:07 NVD
9.8 (CRITICAL)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:43 cve.org
CRITICAL 9.8
CVE Published
Jul 10, 2026 - 21:43 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Formatter Field allows Object Injection. This issue affects Formatter Field versions: from 0.0.0 to 2.0.0.

AnalysisAI

Object injection in the Drupal Formatter Field contributed module (all versions from 0.0.0 up to but not including 2.0.0) allows remote unauthenticated attackers to improperly modify dynamically-determined object attributes, potentially leading to arbitrary code execution or full site compromise. The flaw carries a CVSS 9.8 rating, but with no public exploit identified and a low EPSS probability (0.17%, 7th percentile), and SSVC currently rates exploitation as 'none'. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Drupal site with Formatter Field <2.0.0
Delivery
Send crafted request with malicious serialized object
Exploit
Trigger improper object attribute modification
Execution
Deserialization instantiates gadget chain
Impact
Execute code or compromise site data

Vulnerability AssessmentAI

Exploitation Exploitation requires that the vulnerable Formatter Field module (version below 2.0.0) be installed and enabled on the target Drupal site, and that a request reach the field-formatting code path that improperly handles object attribute modification / deserialization. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals here are notably in tension. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a crafted HTTP request containing a malicious serialized PHP object to a Drupal site running a vulnerable Formatter Field version, where it is deserialized or used to set object attributes without validation. If a suitable gadget chain is present in the site's loaded code, the injected object triggers unintended method execution during its lifecycle, potentially yielding remote code execution or data compromise. …
Remediation Upgrade the Formatter Field module to version 2.0.0 or later, which is the first fixed release (the advisory notes the vulnerable range is 0.0.0 up to but not including 2.0.0); a patch is confirmed available per Drupal advisory SA-CONTRIB-2026-048 at https://www.drupal.org/sa-contrib-2026-048. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Drupal instances running the Formatter Field module and document their current versions to establish scope of affected systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12535 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy