Skip to main content

Examples for Developers EUVDEUVD-2026-43050

| CVE-2026-11909 LOW
Missing Authorization (CWE-862)
2026-07-10 drupal GHSA-q6w5-4q59-rj5q
3.3
CVSS 3.1 · Vendor: drupal

Severity by source

Vendor (drupal) PRIMARY
3.3 LOW
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
3.3 LOW

Network-accessible Drupal route but PR:H required (elevated session prerequisite) and AC:H reflects non-trivial path enumeration; no availability impact applies.

3.1 AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

6
Analysis Generated
Jul 13, 2026 - 21:16 vuln.today
Severity Changed
Jul 13, 2026 - 19:22 NVD
CRITICAL LOW
CVSS changed
Jul 13, 2026 - 19:22 NVD
9.8 (CRITICAL) 3.3 (LOW)
CVSS changed
Jul 13, 2026 - 19:07 NVD
9.8 (CRITICAL)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:43 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Missing Authorization vulnerability in Drupal Examples for Developers allows Forceful Browsing. This issue affects Examples for Developers versions: from 0.0.0 to 4.0.6.

AnalysisAI

Missing Authorization in Drupal's Examples for Developers module (versions 0.0.0 through 4.0.5) permits forceful browsing by an already highly-privileged authenticated attacker, exposing restricted paths with limited confidentiality and integrity impact. All available signals converge on minimal real-world risk: CVSS scores 3.3 (Low), EPSS sits at 0.14% (4th percentile), SSVC reports no known exploitation and non-automatable attack conditions, and neither active exploitation nor public proof-of-concept code has been identified. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privilege Drupal credentials
Exploit
Identify restricted Examples module routes
Execution
Issue direct HTTP request bypassing authorization
Impact
Access or modify limited protected resources

Vulnerability AssessmentAI

Exploitation Exploitation requires the Examples for Developers Drupal contributed module (versions 0.0.0 through 4.0.5) to be installed and enabled on the target site - a condition that should not exist in production environments, as this module is explicitly a developer reference tool. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N yields a score of 3.3 (Low), and the high complexity (AC:H) combined with high required privileges (PR:H) severely constrains the practical attack surface - an attacker must already hold elevated Drupal credentials and navigate specific non-obvious conditions to trigger the flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who already holds a high-privilege authenticated Drupal account - such as an administrator or a compromised privileged user - directly browses to restricted URL paths exposed by the Examples for Developers module that lack proper authorization checks. The missing access control allows the attacker to view or modify limited content or configuration data accessible through those routes without the system enforcing the intended permission boundary. …
Remediation Update the Examples for Developers Drupal module to version 4.0.6 or later, as confirmed by the affected version range in EUVD-2026-43050 and the vendor advisory at https://www.drupal.org/sa-contrib-2026-044. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43050 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy