CVE-2026-6366

MEDIUM EPSS 31.8%

Published May 19, 20261mo ago · Modified Jun 17, 20261w ago

6.6 CVSS 3.1

Medium

Published May 19, 2026 1mo ago

Last Modified Jun 17, 2026 1w ago

Description

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.

CVSS Details

Base Score

6.6

Exploitability

0.7

Impact

5.9

Vector string

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector Network

Attack Complexity High

Privileges Required High

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

31.8% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-915

Affected Products 4

Vendor	Product	Version	Range
drupal	drupal	*	≥8.0.0 – <10.5.9
drupal	drupal	*	≥10.6.0 – <10.6.7
drupal	drupal	*	≥11.0.0 – <11.2.11
drupal	drupal	*	≥11.3.0 – <11.3.7

References 1

drupal.org https://www.drupal.org/sa-core-2026-002

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.