Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Network-reachable object injection needs a low-privileged authenticated account (PR:L), no interaction, yielding high confidentiality and integrity impact but no availability effect.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
9DescriptionCVE.org
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Tealium iQ Tag Management allows Object Injection. This issue affects Tealium iQ Tag Management versions: from 0.0.0 to 2.4.0.
AnalysisAI
Object injection in the Drupal Tealium iQ Tag Management contributed module (versions before 2.4.0) lets authenticated attackers manipulate dynamically-determined object attributes to compromise data confidentiality and integrity. Because the CVSS vector (AV:N/AC:L/PR:L) indicates a low-privileged authenticated user over the network, any user with a foothold on the site can potentially abuse the flaw; there is no public exploit identified at time of analysis and the EPSS probability is low (0.42%). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account on the target Drupal site - the CVSS vector specifies PR:L, so a low-privileged (but non-anonymous) user is needed, not an anonymous visitor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are moderately but not uniformly severe. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or obtains a low-privileged authenticated account on a Drupal site running a vulnerable Tealium iQ Tag Management module submits crafted input that manipulates dynamically-determined object attributes (object injection), overwriting object properties or triggering an object-injection gadget to read sensitive data or tamper with application state. Given AV:N/AC:L, the request can be delivered remotely over the network with low complexity. … |
| Remediation | Upgrade the Tealium iQ Tag Management module to version 2.4.0 or later, which is the first release outside the affected range and corresponds to the vendor's patch (Patch: Available from vendor; Drupal advisory SA-CONTRIB-2026-064 at https://www.drupal.org/sa-contrib-2026-064). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all Drupal instances using the Tealium iQ Tag Management module and verify the current version; prioritize instances handling sensitive customer or business analytics data. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43068
GHSA-7cjh-fc62-8rrg