Skip to main content

Drupal Raw Formatter CVE-2026-15086

| EUVDEUVD-2026-43089 MEDIUM
2026-07-10 drupal GHSA-vxww-4cjp-32x4
5.9
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
5.9 MEDIUM

PR:H confirmed by privilege-gated Drupal module access; AC:H reflects specific configuration precondition; no availability impact identified.

3.1 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jul 13, 2026 - 22:31 vuln.today
CVSS changed
Jul 13, 2026 - 20:22 NVD
5.9 (MEDIUM)
CVE Published
Jul 10, 2026 - 21:57 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

vulnerability in Drupal Raw Formatter [Meta Tag Formatter] allows . This issue affects Raw Formatter [Meta Tag Formatter] versions: *.*.

AnalysisAI

High-privilege network exploitation of the Drupal Raw Formatter [Meta Tag Formatter] contributed module leads to high confidentiality and integrity impact across all released versions. The vulnerability requires an authenticated user with elevated Drupal permissions and high attack complexity (PR:H, AC:H per CVSS), significantly narrowing the realistic attack surface despite the notable C:H/I:H impact rating. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privilege Drupal credentials
Delivery
Access Raw Formatter module configuration
Exploit
Trigger complex precondition in meta tag field
Execution
Exploit improper output handling
Impact
Access or modify protected site content

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with high-privilege Drupal permissions (PR:H per CVSS), limiting the attack to users with administrator-level or elevated content/configuration roles. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The overall real-world risk is moderate-to-low despite the CVSS impact metrics. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A high-privilege Drupal user - such as an administrator or a role with module configuration access - navigates to a Raw Formatter-managed content field or meta tag configuration endpoint and triggers a complex precondition (AC:H) that causes the module to expose or modify protected content. Given PR:H and AC:H, the most realistic scenario is an insider threat or session hijacking of an admin account rather than opportunistic external attack. …
Remediation Consult the Drupal security advisory at https://www.drupal.org/sa-contrib-2026-077 for the official fix - a specific patched version number is not confirmed in available data, so the patch availability status should be verified directly with Drupal's security team before assuming a release exists. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15086 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy