Skip to main content

Drupal WissKI CVE-2026-13239

| EUVDEUVD-2026-43063 MEDIUM
Missing Authorization (CWE-862)
2026-07-10 drupal GHSA-8375-8mwf-6r6x
6.5
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
6.5 MEDIUM

Forceful browsing over network with no auth or interaction; partial C and I only, no availability impact, no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

7
Analysis Generated
Jul 13, 2026 - 21:18 vuln.today
Severity Changed
Jul 13, 2026 - 19:22 NVD
CRITICAL MEDIUM
CVSS changed
Jul 13, 2026 - 19:22 NVD
9.8 (CRITICAL) 6.5 (MEDIUM)
CVSS changed
Jul 13, 2026 - 19:07 NVD
9.8 (CRITICAL)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:44 cve.org
MEDIUM 6.5
CVE Published
Jul 10, 2026 - 21:44 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Missing Authorization vulnerability in Drupal WissKI allows Forceful Browsing. This issue affects WissKI versions: from 0.0.0 to 4.2.0.

AnalysisAI

Missing authorization controls in Drupal WissKI versions prior to 4.2.0 enable unauthenticated remote attackers to perform forceful browsing - directly accessing restricted resources by guessing or enumerating URLs without undergoing proper authorization checks. The affected versions span the entire release history from 0.0.0 through 4.2.0, making all prior deployments vulnerable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify public Drupal site with WissKI installed
Delivery
Enumerate WissKI-registered Drupal routes via module docs or source
Exploit
Send unauthenticated HTTP request to restricted WissKI endpoint
Execution
Missing authorization check bypassed
Impact
Access or manipulate restricted semantic/entity data

Vulnerability AssessmentAI

Exploitation No authentication is required - the CVSS vector PR:N confirms unauthenticated access is sufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) is driven by network accessibility (AV:N), low complexity (AC:L), no required privileges (PR:N), and no user interaction (UI:N), with partial confidentiality and integrity impact but no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker enumerates WissKI-specific Drupal route paths - discoverable through public documentation or module source inspection - and issues direct HTTP GET requests to restricted endpoints without holding the required permissions. The missing authorization check allows the server to respond with restricted entity or ontology data, or permits state-modifying actions, without the attacker ever authenticating. …
Remediation The vendor has released a patch; upgrade WissKI to version 4.2.0 or later by following the standard Drupal module update procedure (composer update drupal/wisski or via the Drupal admin interface). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13239 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy