CVE-2026-55807

Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal core allows Server Side Request Forgery. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.

Credits

Hamed Kohi (0xhamy)
assaf alassaf (ama62)
Albert Skibinski (askibinski)
Jon Minder (ayalon)
Lautaro Casanova (betah4k)
Gabe Sullice (gabesullice)
John Morahan (john morahan)
Michael Winser (michaelwinser)
nbanderson
offensive-ai
Francesco Placella (plach)
quynh ho (qquynh)
Himanshu Anand (unknownhad)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Adam G-H (phenaproxima)
Sean Blommaert (seanb)
Benji Fisher (benjifisher)
cilefen (cilefen)
Damien McKenna (damienmckenna)
Mori Sugimoto (dokumori)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
James Gilliland (neclimdul)
Juraj Nemec (poker10)
Jess (xjm)

References