Skip to main content

Formatter Field

1 CVEs product

Monthly

CVE-2026-12535 PHP CRITICAL PATCH Act Now

Object injection in the Drupal Formatter Field contributed module (all versions from 0.0.0 up to but not including 2.0.0) allows remote unauthenticated attackers to improperly modify dynamically-determined object attributes, potentially leading to arbitrary code execution or full site compromise. The flaw carries a CVSS 9.8 rating, but with no public exploit identified and a low EPSS probability (0.17%, 7th percentile), and SSVC currently rates exploitation as 'none'. A vendor patch is available via Drupal advisory SA-CONTRIB-2026-048.

Code Injection Formatter Field
NVD
CVSS 3.1
9.8
EPSS
0.2%
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Object injection in the Drupal Formatter Field contributed module (all versions from 0.0.0 up to but not including 2.0.0) allows remote unauthenticated attackers to improperly modify dynamically-determined object attributes, potentially leading to arbitrary code execution or full site compromise. The flaw carries a CVSS 9.8 rating, but with no public exploit identified and a low EPSS probability (0.17%, 7th percentile), and SSVC currently rates exploitation as 'none'. A vendor patch is available via Drupal advisory SA-CONTRIB-2026-048.

Code Injection Formatter Field
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy