Tealium Iq Tag Management
Monthly
Object injection in the Drupal Tealium iQ Tag Management contributed module (versions before 2.4.0) lets authenticated attackers manipulate dynamically-determined object attributes to compromise data confidentiality and integrity. Because the CVSS vector (AV:N/AC:L/PR:L) indicates a low-privileged authenticated user over the network, any user with a foothold on the site can potentially abuse the flaw; there is no public exploit identified at time of analysis and the EPSS probability is low (0.42%). Drupal has published advisory SA-CONTRIB-2026-064 and released a fixed version.
Object injection in the Drupal Tealium iQ Tag Management contributed module (versions before 2.4.0) lets authenticated attackers manipulate dynamically-determined object attributes to compromise data confidentiality and integrity. Because the CVSS vector (AV:N/AC:L/PR:L) indicates a low-privileged authenticated user over the network, any user with a foothold on the site can potentially abuse the flaw; there is no public exploit identified at time of analysis and the EPSS probability is low (0.42%). Drupal has published advisory SA-CONTRIB-2026-064 and released a fixed version.