Skip to main content

Drupal Core CVE-2026-55804

| EUVDEUVD-2026-43082 MEDIUM
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-07-10 drupal GHSA-x7hc-r9m3-67vr
5.9
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
5.9 MEDIUM

Network-reachable admin endpoint (AV:N), high complexity for gadget-chain construction (AC:H), admin credentials required (PR:H); no availability impact observed.

3.1 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 13, 2026 - 19:49 vuln.today
CVSS changed
Jul 13, 2026 - 19:22 NVD
5.9 (MEDIUM)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:46 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.

AnalysisAI

Object injection in Drupal Core through improperly controlled modification of dynamically-determined object attributes (CWE-915) exposes sites to high-severity confidentiality and integrity compromise when triggered by an authenticated user with high privileges. Affected branches include the entire 10.x line before 10.5.12 and 10.6.11, the fully unsupported 11.0.x and 11.1.x trees, and the 11.2.x and 11.3.x lines before 11.2.14 and 11.3.12 respectively. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain high-privilege Drupal admin credentials
Delivery
Access privileged Drupal admin endpoint over network
Exploit
Submit crafted request with malicious object attributes
Install
Trigger dynamic object attribute assignment in PHP
C2
Instantiate attacker-chosen PHP class via mass assignment
Execute
Execute PHP magic-method gadget chain
Impact
Read or modify application data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with high Drupal privileges (PR:H per CVSS vector), meaning the attacker must first obtain admin-level Drupal credentials before the injection path is reachable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Raw CVSS base score of 5.9 (Medium) is a reasonable representation of real-world risk here given the constraining metrics: AC:H means the attacker must meet non-trivial complexity conditions, and PR:H means they must already possess high-privilege (likely admin-level) Drupal credentials before exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained Drupal administrator credentials - through phishing, credential stuffing, or lateral movement - submits a specially crafted request to a privileged Drupal endpoint that passes attacker-controlled data into a dynamic object attribute assignment path. By injecting a malicious PHP object with a weaponized magic-method chain (e.g., __destruct leading to file write or system call), the attacker achieves code execution on the server under the web process account, then exfiltrates the database or site configuration. …
Remediation Upgrade to the nearest fixed release for your branch: Drupal Core 10.5.12 or 10.6.11 for 10.x deployments, 11.2.14 for 11.2.x deployments, or 11.3.12 for 11.3.x deployments. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55804 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy