Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.
This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
AnalysisAI
Object injection in Drupal Core across branches 8.0.0 through 11.3.x allows a network-accessible, highly privileged authenticated user to manipulate dynamically-determined object attributes, with potential full compromise of confidentiality, integrity, and availability. The CVSS vector (AV:N/AC:H/PR:H) confirms this is a network-reachable flaw but imposes steep prerequisites: administrator-level access and high attack complexity. No public exploit code or confirmed active exploitation has been identified at time of analysis.
Technical ContextAI
CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) describes a class of vulnerabilities - often called mass assignment or object injection - where an application allows attacker-controlled input to set object properties that should not be externally modifiable. In PHP-based frameworks like Drupal, this commonly arises when deserialized or dynamically resolved data is used to populate object attributes without sufficient type or property validation, enabling an attacker to inject unexpected object types or overwrite internal state. The affected product is identified by CPE cpe:2.3:a:drupal:drupal_core, encompassing all four active Drupal major version lines (8.x/10.5, 10.6, 11.0-11.2, 11.3). The vulnerability is tagged as Code Injection, indicating the object injection primitive can plausibly be chained to achieve code execution.
RemediationAI
Upgrade to the patched releases issued by the Drupal Security Team: 10.5.9 (for sites on the 8.x/10.5 branch), 10.6.7 (for the 10.6 branch), 11.2.11 (for the 11.0-11.2 branch), or 11.3.7 (for the 11.3 branch). The vendor advisory at https://www.drupal.org/sa-core-2026-002 (SA-CORE-2026-002) contains authoritative upgrade instructions. As a compensating control while scheduling the upgrade, restrict administrative account access to the minimum necessary personnel, enforce multi-factor authentication on all admin accounts, and audit administrator roles for over-provisioned accounts. Since PR:H is the critical limiting factor, hardening admin access substantially reduces exploitation risk, though it does not eliminate the underlying vulnerability and should not substitute for patching.
More in Drupal Core
View allSQL injection in Drupal Core across six major version branches (8.9.0 through 11.3.x) enables remote unauthenticated att
Cross-site scripting in Drupal core 11.3.0 through 11.3.6 enables unauthenticated remote attackers to inject malicious s
Cross-site scripting in Drupal Core exposes a broad range of Drupal installations - spanning major versions 8 through 11
Object injection in Drupal Core through improperly controlled modification of dynamically-determined object attributes (
Object injection via a mass assignment flaw in Drupal Core enables an authenticated administrator to manipulate dynamica
Open redirect in Drupal Core across multiple major release branches enables phishing and content spoofing attacks by for
Cross-site scripting (XSS) in Drupal Core affects a broad swath of the 10.x and 11.x release lines, enabling an authenti
Server-Side Request Forgery in Drupal Core allows authenticated low-privilege users to coerce the application server int
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30999
GHSA-xmjc-63pr-2mpg