Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Remote, low-complexity object injection reachable by an authenticated low-privileged user (PR:L) with no interaction; high confidentiality and integrity impact but no availability effect.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
10DescriptionCVE.org
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Flag attendance field allows Object Injection. This issue affects Flag attendance field versions: from 0.0.0 to 1.2.
AnalysisAI
Object injection in the Drupal contrib module Flag attendance field (all versions up to and including 1.2) lets an authenticated user with low privileges pass attacker-controlled data into a dynamically-determined object attribute (CWE-915), enabling PHP object injection and high-impact compromise of data confidentiality and integrity. The Drupal Security Team published advisory SA-CONTRIB-2026-049 and a fixed release is available. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the Flag attendance field module (version 0.0.0 through 1.2) to be installed and enabled on the target Drupal site, and the attacker must hold an authenticated account with the low-level privileges needed to submit data to the flag attendance field (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 8.1 (High) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, indicating remote, low-complexity exploitation requiring some level of authentication (PR:L) and no user interaction, with high confidentiality and integrity impact but no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a low-privileged Drupal account on a site running Flag attendance field and submits a crafted payload to the attendance flag field that manipulates a dynamically-determined object attribute, triggering PHP object injection. By supplying a serialized object matching an available gadget chain, the attacker reads or tampers with sensitive data (high confidentiality and integrity impact) without any user interaction. … |
| Remediation | Patch available per vendor advisory: upgrade Flag attendance field to version 1.2 or later, which is the first release outside the affected 0.0.0-1.2 range, per Drupal Security Advisory SA-CONTRIB-2026-049 (https://www.drupal.org/sa-contrib-2026-049). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify and catalog all Drupal systems running Flag attendance field module versions 1.2 and earlier, and classify by business criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43053
GHSA-66vp-2cwc-4pv3