Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
PR:H confirmed by privilege-gated Drupal module access; AC:H reflects specific configuration precondition; no availability impact identified.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
vulnerability in Drupal Raw Formatter [Meta Tag Formatter] allows . This issue affects Raw Formatter [Meta Tag Formatter] versions: *.*.
AnalysisAI
High-privilege network exploitation of the Drupal Raw Formatter [Meta Tag Formatter] contributed module leads to high confidentiality and integrity impact across all released versions. The vulnerability requires an authenticated user with elevated Drupal permissions and high attack complexity (PR:H, AC:H per CVSS), significantly narrowing the realistic attack surface despite the notable C:H/I:H impact rating. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session with high-privilege Drupal permissions (PR:H per CVSS), limiting the attack to users with administrator-level or elevated content/configuration roles. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The overall real-world risk is moderate-to-low despite the CVSS impact metrics. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A high-privilege Drupal user - such as an administrator or a role with module configuration access - navigates to a Raw Formatter-managed content field or meta tag configuration endpoint and triggers a complex precondition (AC:H) that causes the module to expose or modify protected content. Given PR:H and AC:H, the most realistic scenario is an insider threat or session hijacking of an admin account rather than opportunistic external attack. … |
| Remediation | Consult the Drupal security advisory at https://www.drupal.org/sa-contrib-2026-077 for the official fix - a specific patched version number is not confirmed in available data, so the patch availability status should be verified directly with Drupal's security team before assuming a release exists. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43089
GHSA-vxww-4cjp-32x4