Skip to main content

Tealium iQ Tag Management EUVDEUVD-2026-43068

| CVE-2026-13244 HIGH
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-07-10 drupal GHSA-7cjh-fc62-8rrg
8.1
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Network-reachable object injection needs a low-privileged authenticated account (PR:L), no interaction, yielding high confidentiality and integrity impact but no availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

9
Analysis Updated
Jul 13, 2026 - 19:31 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 13, 2026 - 19:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 13, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jul 13, 2026 - 19:22 NVD
7.3 (HIGH) 8.1 (HIGH)
Analysis Generated
Jul 13, 2026 - 19:07 vuln.today
CVSS changed
Jul 13, 2026 - 19:07 NVD
7.3 (HIGH)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:46 cve.org
HIGH 7.3
CVE Published
Jul 10, 2026 - 21:46 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Tealium iQ Tag Management allows Object Injection. This issue affects Tealium iQ Tag Management versions: from 0.0.0 to 2.4.0.

AnalysisAI

Object injection in the Drupal Tealium iQ Tag Management contributed module (versions before 2.4.0) lets authenticated attackers manipulate dynamically-determined object attributes to compromise data confidentiality and integrity. Because the CVSS vector (AV:N/AC:L/PR:L) indicates a low-privileged authenticated user over the network, any user with a foothold on the site can potentially abuse the flaw; there is no public exploit identified at time of analysis and the EPSS probability is low (0.42%). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged user
Delivery
Craft object-injection payload
Exploit
Submit to Tealium module endpoint
Execution
Overwrite dynamic object attributes
Impact
Read or tamper with sensitive data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account on the target Drupal site - the CVSS vector specifies PR:L, so a low-privileged (but non-anonymous) user is needed, not an anonymous visitor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderately but not uniformly severe. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds or obtains a low-privileged authenticated account on a Drupal site running a vulnerable Tealium iQ Tag Management module submits crafted input that manipulates dynamically-determined object attributes (object injection), overwriting object properties or triggering an object-injection gadget to read sensitive data or tamper with application state. Given AV:N/AC:L, the request can be delivered remotely over the network with low complexity. …
Remediation Upgrade the Tealium iQ Tag Management module to version 2.4.0 or later, which is the first release outside the affected range and corresponds to the vendor's patch (Patch: Available from vendor; Drupal advisory SA-CONTRIB-2026-064 at https://www.drupal.org/sa-contrib-2026-064). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Drupal instances using the Tealium iQ Tag Management module and verify the current version; prioritize instances handling sensitive customer or business analytics data. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43068 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy