CVE-2026-55806
Received
Received - Intake
Open Redirect in Drupal Core
Vulnerability report for CVE-2026-55806, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-10
Last updated on: 2026-07-10
Assigner: Drupal.org
Description
Description
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| drupal | drupal_core | From 0.0.0 (inc) to 10.5.12 (inc) |
| drupal | drupal_core | From 10.6.0 (inc) to 10.6.11 (inc) |
| drupal | drupal_core | From 11.2.0 (inc) to 11.2.14 (inc) |
| drupal | drupal_core | From 11.3.0 (inc) to 11.3.12 (inc) |
| drupal | drupal_core | From 0.0.0 (inc) to 11.0.* (inc) |
| drupal | drupal_core | From 0.0.0 (inc) to 11.1.* (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |