CVE-2026-6366
Undergoing Analysis
Undergoing Analysis - In Progress
Object Injection in Drupal Core
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: Drupal.org
Description
Description
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.
This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| drupal | drupal_core | From 8.0.0 (inc) to 10.5.9 (exc) |
| drupal | drupal_core | From 10.6.0 (inc) to 10.6.7 (exc) |
| drupal | drupal_core | From 11.0.0 (inc) to 11.2.11 (exc) |
| drupal | drupal_core | From 11.3.0 (inc) to 11.3.7 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Drupal core involves improperly controlled modification of dynamically-determined object attributes, which allows for Object Injection.
How can this vulnerability impact me? :
The vulnerability allows an attacker to perform Object Injection, which can lead to unauthorized modification of object attributes within Drupal core. This could potentially be exploited to manipulate application behavior or compromise system integrity.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70