Skip to main content

Flag Attendance Field EUVDEUVD-2026-43053

| CVE-2026-55809 HIGH
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-07-10 drupal GHSA-66vp-2cwc-4pv3
8.1
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Remote, low-complexity object injection reachable by an authenticated low-privileged user (PR:L) with no interaction; high confidentiality and integrity impact but no availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

10
Analysis Updated
Jul 13, 2026 - 19:33 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 13, 2026 - 19:33 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 13, 2026 - 19:22 vuln.today
cvss_changed
Severity Changed
Jul 13, 2026 - 19:22 NVD
CRITICAL HIGH
CVSS changed
Jul 13, 2026 - 19:22 NVD
9.8 (CRITICAL) 8.1 (HIGH)
Analysis Generated
Jul 13, 2026 - 19:10 vuln.today
CVSS changed
Jul 13, 2026 - 19:07 NVD
9.8 (CRITICAL)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:44 cve.org
CRITICAL 9.8
CVE Published
Jul 10, 2026 - 21:44 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Flag attendance field allows Object Injection. This issue affects Flag attendance field versions: from 0.0.0 to 1.2.

AnalysisAI

Object injection in the Drupal contrib module Flag attendance field (all versions up to and including 1.2) lets an authenticated user with low privileges pass attacker-controlled data into a dynamically-determined object attribute (CWE-915), enabling PHP object injection and high-impact compromise of data confidentiality and integrity. The Drupal Security Team published advisory SA-CONTRIB-2026-049 and a fixed release is available. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged Drupal account
Delivery
Access flag attendance field submission
Exploit
Craft malicious serialized object payload
Execution
Trigger dynamic attribute modification (object injection)
Impact
Exfiltrate or tamper with sensitive data

Vulnerability AssessmentAI

Exploitation Exploitation requires the Flag attendance field module (version 0.0.0 through 1.2) to be installed and enabled on the target Drupal site, and the attacker must hold an authenticated account with the low-level privileges needed to submit data to the flag attendance field (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 8.1 (High) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, indicating remote, low-complexity exploitation requiring some level of authentication (PR:L) and no user interaction, with high confidentiality and integrity impact but no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a low-privileged Drupal account on a site running Flag attendance field and submits a crafted payload to the attendance flag field that manipulates a dynamically-determined object attribute, triggering PHP object injection. By supplying a serialized object matching an available gadget chain, the attacker reads or tampers with sensitive data (high confidentiality and integrity impact) without any user interaction. …
Remediation Patch available per vendor advisory: upgrade Flag attendance field to version 1.2 or later, which is the first release outside the affected 0.0.0-1.2 range, per Drupal Security Advisory SA-CONTRIB-2026-049 (https://www.drupal.org/sa-contrib-2026-049). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify and catalog all Drupal systems running Flag attendance field module versions 1.2 and earlier, and classify by business criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43053 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy