Skip to main content

Drupal Core EUVDEUVD-2026-30999

| CVE-2026-6366 MEDIUM
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-05-19 drupal GHSA-xmjc-63pr-2mpg
6.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.6 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 13:23 vuln.today
CVSS changed
May 20, 2026 - 13:22 NVD
6.6 (MEDIUM)
Patch available
May 19, 2026 - 23:02 EUVD
CVE Published
May 19, 2026 - 22:27 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.

This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.

AnalysisAI

Object injection in Drupal Core across branches 8.0.0 through 11.3.x allows a network-accessible, highly privileged authenticated user to manipulate dynamically-determined object attributes, with potential full compromise of confidentiality, integrity, and availability. The CVSS vector (AV:N/AC:H/PR:H) confirms this is a network-reachable flaw but imposes steep prerequisites: administrator-level access and high attack complexity. No public exploit code or confirmed active exploitation has been identified at time of analysis.

Technical ContextAI

CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) describes a class of vulnerabilities - often called mass assignment or object injection - where an application allows attacker-controlled input to set object properties that should not be externally modifiable. In PHP-based frameworks like Drupal, this commonly arises when deserialized or dynamically resolved data is used to populate object attributes without sufficient type or property validation, enabling an attacker to inject unexpected object types or overwrite internal state. The affected product is identified by CPE cpe:2.3:a:drupal:drupal_core, encompassing all four active Drupal major version lines (8.x/10.5, 10.6, 11.0-11.2, 11.3). The vulnerability is tagged as Code Injection, indicating the object injection primitive can plausibly be chained to achieve code execution.

RemediationAI

Upgrade to the patched releases issued by the Drupal Security Team: 10.5.9 (for sites on the 8.x/10.5 branch), 10.6.7 (for the 10.6 branch), 11.2.11 (for the 11.0-11.2 branch), or 11.3.7 (for the 11.3 branch). The vendor advisory at https://www.drupal.org/sa-core-2026-002 (SA-CORE-2026-002) contains authoritative upgrade instructions. As a compensating control while scheduling the upgrade, restrict administrative account access to the minimum necessary personnel, enforce multi-factor authentication on all admin accounts, and audit administrator roles for over-provisioned accounts. Since PR:H is the critical limiting factor, hardening admin access substantially reduces exploitation risk, though it does not eliminate the underlying vulnerability and should not substitute for patching.

Share

EUVD-2026-30999 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy