Skip to main content

Drupal Core CVE-2026-6366

| EUVD-2026-30999 MEDIUM
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-05-19 drupal GHSA-xmjc-63pr-2mpg
Code Injection
6.6
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 13:23 vuln.today
CVSS changed
May 20, 2026 - 13:22 NVD
6.6 (MEDIUM)
Patch available
May 19, 2026 - 23:02 EUVD
CVE Published
May 19, 2026 - 22:27 nvd
UNKNOWN (no severity yet)

DescriptionNVD

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.

This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.

AnalysisAI

Object injection in Drupal Core across branches 8.0.0 through 11.3.x allows a network-accessible, highly privileged authenticated user to manipulate dynamically-determined object attributes, with potential full compromise of confidentiality, integrity, and availability. The CVSS vector (AV:N/AC:H/PR:H) confirms this is a network-reachable flaw but imposes steep prerequisites: administrator-level access and high attack complexity. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-6366 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy