Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-reachable SSRF gated on authenticated low-privilege access and specific feature conditions (AC:H); impact confined to low confidentiality via internal resource probing with no integrity or availability consequence.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal core allows Server Side Request Forgery. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
AnalysisAI
Server-Side Request Forgery in Drupal Core allows authenticated low-privilege users to coerce the application server into issuing unauthorized HTTP requests to internal or restricted network destinations. All active 10.6.x and 11.x release branches are affected, along with end-of-life 11.0.x and 11.1.x branches, covering a broad swath of production Drupal deployments. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active authenticated session with at least low-privilege Drupal role access (PR:L per CVSS vector) - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 3.1 (Low) accurately reflects the constrained attack surface: High Attack Complexity (AC:H) implies specific preconditions beyond authentication alone, and Low Privilege Required (PR:L) rules out unauthenticated exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Drupal user with a low-privilege editorial or contributor role submits crafted input embedding an internal URL - such as http://169.254.169.254/latest/meta-data/ or http://internal-api.corp/admin - through a Drupal feature that performs server-side HTTP requests (such as feed aggregation, remote media fetching, or a similar subsystem). The Drupal server issues the request on the attacker's behalf and returns the response, exposing instance credentials or internal service data to the attacker. … |
| Remediation | Apply the vendor-released patches per Drupal Security Advisory SA-CORE-2026-008 at https://www.drupal.org/sa-core-2026-008. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Drupal Core
View allSQL injection in Drupal Core across six major version branches (8.9.0 through 11.3.x) enables remote unauthenticated att
Object injection in Drupal Core across branches 8.0.0 through 11.3.x allows a network-accessible, highly privileged auth
Cross-site scripting in Drupal core 11.3.0 through 11.3.6 enables unauthenticated remote attackers to inject malicious s
Cross-site scripting in Drupal Core exposes a broad range of Drupal installations - spanning major versions 8 through 11
Object injection in Drupal Core through improperly controlled modification of dynamically-determined object attributes (
Object injection via a mass assignment flaw in Drupal Core enables an authenticated administrator to manipulate dynamica
Open redirect in Drupal Core across multiple major release branches enables phishing and content spoofing attacks by for
Cross-site scripting (XSS) in Drupal Core affects a broad swath of the 10.x and 11.x release lines, enabling an authenti
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43084
GHSA-qrwq-jwq3-8cc8