CVE-2026-55803

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.

Credits

Michael Maturi (michaelmaturi)
Björn Brala (bbrala)
Sascha Grossenbacher (berdir)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Anna Kalata (akalata)
Benji Fisher (benjifisher)
Damien McKenna (damienmckenna)
David Strauss (david strauss)
Neil Drumm (drumm)
Greg Knaddison (greggles)
Tim Hestenes Lehnen (hestenet)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Ra Mänd (ram4nd)
Jess (xjm)

References