Description
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.

This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
Published: 2026-05-19
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improperly controlled modification of dynamically‑determined object attributes in Drupal core enables object injection, allowing an attacker to instantiate classes of their choosing. This flaw can be leveraged to execute arbitrary code or gain elevated privileges, representing a high‑severity weakness in the application.

Affected Systems

Drupal core is impacted across several version ranges: 8.0.0 through 10.5.8, 10.6.0 through 10.6.6, 11.0.0 through 11.2.10, and 11.3.0 through 11.3.6. All releases prior to the specified patch releases in each major and minor branch are vulnerable.

Risk and Exploitability

The vulnerability is remotely exploitable through crafted web requests that supply dynamic class names or attributes. The EPSS score of 0.00023 indicates a very low probability that an attacker will successfully exploit it. The flaw is not listed in CISA KEV, indicating no documented exploitation yet. The CVSS score is 6.6, but the combination of object injection and potential remote code execution suggests a high likelihood of severe impact if discovered or misused. Attacks would typically require the ability to send requests that influence object construction, which may be facilitated by standard user input or custom modules.

Generated by OpenCVE AI on May 20, 2026 at 15:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Drupal core to a non‑vulnerable release: upgrade to 10.5.9 or later, 10.6.7 or later, 11.2.11 or later, or 11.3.7 or later, depending on your major branch.
  • Review and refactor any custom modules or code that dynamically instantiate classes or modify object attributes based on user input; sanitize or remove such patterns.
  • Temporarily disable or restrict any administrative features or modules that allow configuration of dynamic object attributes if a timely update is not feasible, to mitigate the risk until the core can be updated.

Generated by OpenCVE AI on May 20, 2026 at 15:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-core-2026-002 cve-icon cve-icon
History

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal drupal Core
Vendors & Products Drupal
Drupal drupal Core

Tue, 19 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
Title Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002
Weaknesses CWE-915
References

Subscriptions

Drupal Drupal Core
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-05-20T12:57:32.417Z

Reserved: 2026-04-15T14:39:27.643Z

Link: CVE-2026-6366

cve-icon Vulnrichment

Updated: 2026-05-20T12:57:26.604Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-19T23:16:58.233

Modified: 2026-05-20T13:56:48.777

Link: CVE-2026-6366

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T15:15:06Z

Weaknesses