Formatter Field
Monthly
Object injection in the Drupal Formatter Field contributed module (all versions from 0.0.0 up to but not including 2.0.0) allows remote unauthenticated attackers to improperly modify dynamically-determined object attributes, potentially leading to arbitrary code execution or full site compromise. The flaw carries a CVSS 9.8 rating, but with no public exploit identified and a low EPSS probability (0.17%, 7th percentile), and SSVC currently rates exploitation as 'none'. A vendor patch is available via Drupal advisory SA-CONTRIB-2026-048.
Object injection in the Drupal Formatter Field contributed module (all versions from 0.0.0 up to but not including 2.0.0) allows remote unauthenticated attackers to improperly modify dynamically-determined object attributes, potentially leading to arbitrary code execution or full site compromise. The flaw carries a CVSS 9.8 rating, but with no public exploit identified and a low EPSS probability (0.17%, 7th percentile), and SSVC currently rates exploitation as 'none'. A vendor patch is available via Drupal advisory SA-CONTRIB-2026-048.