Drupal Core Security
Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009
The JSON:API and REST modules allow you to upload image files to image fields.
The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image.
Certain web-server configurations may serve the uploaded file with its actual MIME type rather than an image type. This may lead to cross-site scripting (XSS) or other unexpected behavior.
Solution:Install the latest version:
Drupal 11
- If you use Drupal 11.3.x, update to Drupal 11.3.12.
- If you use Drupal 11.2.x, update to Drupal 11.2.14.
Drupal 10
- If you use Drupal 10.6.x, update to Drupal 10.6.11.
- If you use Drupal 10.5.x, update to Drupal 10.5.12.
Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By: Fixed By:- Björn Brala (bbrala)
- Kim Pepper (kim.pepper)
- Lee Rowlands (larowlan) of the Drupal Security Team
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
Drupal core - Moderately critical - Server-side request forgery - SA-CORE-2026-008
The Media module comes with support for oEmbed. The oEmbed specification contains two discovery mechanisms, via providers.json and via URL discovery.
The URL discovery code could be leveraged to trick Drupal into making server-side requests to any URL.
Solution:Install the latest version:
Drupal 11
- If you use Drupal 11.3.x, update to Drupal 11.3.12.
- If you use Drupal 11.2.x, update to Drupal 11.2.14.
Drupal 10
- If you use Drupal 10.6.x, update to Drupal 10.6.11.
- If you use Drupal 10.5.x, update to Drupal 10.5.12.
Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Required site changes for URL discoveryMost users of the oEmbed functionality in Drupal likely use providers.json to define known providers (such as YouTube and Vimeo) for embedding content.
If you are using URL discovery, you now need to set a list of trusted oEmbed discovery hosts in settings.php.
This is an array containing a series of regular expressions for matching host names for discovery. It follows the same pattern as the existing trusted hosts settings.
Example:
// Only allow URL discovery from example.com. $settings['media_oembed_discovery_trusted_host_patterns'] = [ '^example\.com$', ]; Reported By:- Hamed Kohi (0xhamy)
- assaf alassaf (ama62)
- Albert Skibinski (askibinski)
- Jon Minder (ayalon)
- Lautaro Casanova (betah4k)
- Gabe Sullice (gabesullice)
- John Morahan (john morahan)
- Michael Winser (michaelwinser)
- nbanderson
- offensive-ai
- Francesco Placella (plach)
- quynh ho (qquynh)
- Himanshu Anand (unknownhad)
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Adam G-H (phenaproxima)
- Sean Blommaert (seanb)
- Benji Fisher (benjifisher) of the Drupal Security Team
- cilefen (cilefen) of the Drupal Security Team
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Mori Sugimoto (dokumori) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- James Gilliland (neclimdul) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
Drupal core - Less critical - Cache poisoning and open redirect - SA-CORE-2026-007
Drupal core ships a rebuild.php front controller that can be used to rebuild Drupal (clearing the caches and rebuilding the container) when the site is in an unexpected condition.
This script doesn't correctly check the Host header against the list of trusted host patterns. This could result in cache poisoning or a redirect to an attacker-controlled domain.
Solution:Install the latest version:
Drupal 11
- If you use Drupal 11.3.x, update to Drupal 11.3.12.
- If you use Drupal 11.2.x, update to Drupal 11.2.14.
Drupal 10
- If you use Drupal 10.6.x, update to Drupal 10.6.11.
- If you use Drupal 10.5.x, update to Drupal 10.5.12.
Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By: Fixed By:- Lee Rowlands (larowlan) of the Drupal Security Team
- catch (catch) of the Drupal Security Team
- cilefen (cilefen) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- James Gilliland (neclimdul) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
Drupal core - Moderately critical - Gadget chain - SA-CORE-2026-006
Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application deserializes untrusted data due to another vulnerability.
This issue is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize().
Solution:Install the latest version:
Drupal 11
- If you use Drupal 11.3.x, update to Drupal 11.3.12.
- If you use Drupal 11.2.x, update to Drupal 11.2.14.
Drupal 10
- If you use Drupal 10.6.x, update to Drupal 10.6.11.
- If you use Drupal 10.5.x, update to Drupal 10.5.12.
Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By: Fixed By:- Lee Rowlands (larowlan) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Mohit Aghera (mohit_aghera)
- Anna Kalata (akalata) of the Drupal Security Team
- Benji Fisher (benjifisher) of the Drupal Security Team
- cilefen (cilefen) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
Drupal core - Critical - PHP object injection - SA-CORE-2026-005
SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web services.
The above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain rare circumstances, potentially resulting in PHP Object Injection.
This vulnerability is mitigated by the fact that in order to be exploitable:
- A site must use an entity reference field type that stores a serialized property.
- An attacker must have permission to write to the entity via JSON:API.
No field type shipped with Drupal core meets these criteria, and contributed or user-created field types that do appear to be extremely unusual. This update protects all such fields; no changes are required in contributed modules.
JSON:API is read-only by default, so sites are only affected if they have enabled write access (either through administrator configuration or the installation of a contributed or custom module that enables write access).
Drupal Steward protection:This issue is being protected by Drupal Steward. In this instance, we believe that the WAF rule will provide mitigation for the common/obvious vulnerability paths, but may not cover all cases or work for all hosting providers. Additionally, several other core security advisories released today are not mitigated by Drupal Steward. Therefore, our recommended action is still to plan an actual Drupal update within 24 hours of this release.
Solution:Install the latest version:
Drupal 11
- If you use Drupal 11.3.x, update to Drupal 11.3.12.
- If you use Drupal 11.2.x, update to Drupal 11.2.14.
Drupal 10
- If you use Drupal 10.6.x, update to Drupal 10.6.11.
- If you use Drupal 10.5.x, update to Drupal 10.5.12.
Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By: Fixed By:- Björn Brala (bbrala)
- Sascha Grossenbacher (berdir)
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Anna Kalata (akalata) of the Drupal Security Team
- Benji Fisher (benjifisher) of the Drupal Security Team
- Damien McKenna (damienmckenna) of the Drupal Security Team
- David Strauss (david strauss) of the Drupal Security Team
- Neil Drumm (drumm) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Tim Hestenes Lehnen (hestenet)
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Ra Mänd (ram4nd) provisional member of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
Drupal core - Highly critical - SQL injection - SA-CORE-2026-004
Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.
A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.
This vulnerability can be exploited by anonymous users.
This SQL injection vulnerability only affects sites using PostgreSQL. However, the third-party dependency updates in these releases apply to all sites.
UpdatesMay 22 2026, 04:30 UTC: The risk score has been updated to reflect that exploit attempts are now being detected in the wild.
Upstream security advisoriesThe Drupal releases for supported branches (11.3, 11.2, 10.6, and 10.5) in this advisory also include security updates for Symfony and Twig. Those projects have released important Security Advisories that were coordinated with this Drupal release, and Drupal is affected by some of the vulnerabilities.
Depending on your site configuration and contrib modules, you may be vulnerable to one or more of these upstream issues, so updating these dependencies is highly recommended whether the SQL Injection vulnerability affects you or not. It is also recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules.
Solution:Install the latest version.
Drupal 11- If you use Drupal 11.3.x, update to Drupal 11.3.10.
- If you use Drupal 11.2.x, update to Drupal 11.2.12.
- If you use Drupal 11.1.x or 11.0.x, update to Drupal 11.1.10.
- If you use Drupal 10.6.x, update to Drupal 10.6.9.
- If you use Drupal 10.5.x, update to Drupal 10.5.10.
- If you use Drupal 10.4.x or earlier, update to Drupal 10.4.10.
- If you use any version of Drupal 9, try manually applying the Drupal 9.5 patch for this issue.
- If you use Drupal 8.9, try manually applying the Drupal 8.9 patch for this issue.
Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.) Due to this issue's severity, the unsupported releases and patches for unsupported versions are provided as a best effort. Those unsupported versions will still have other, previously disclosed security vulnerabilities.
Reported By: Fixed By:- Björn Brala (bbrala)
- Benji Fisher (benjifisher) of the Drupal Security Team
- catch (catch) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
- Anna Kalata (akalata) of the Drupal Security Team
- Benji Fisher (benjifisher) of the Drupal Security Team
- catch (catch) of the Drupal Security Team
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Neil Drumm (drumm) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Heine Deelstra (heine) of the Drupal Security Team
- Tim Hestenes Lehnen (hestenet)
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Pierre Rudloff (prudloff) of the Drupal Security Team
- quietone (quietone)
- Jess (xjm) of the Drupal Security Team
- Cathy Theys (yesct) of the Drupal Security Team
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003
Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5.
The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user.
Solution:Install the latest version:
- If you use Drupal 11.3.x, update to Drupal 11.3.7
- Drupal versions below 11.3 are not affected by this vulnerability
- Lee Rowlands (larowlan) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Mingsong (mingsong), provisional member of the Drupal Security Team
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002
Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application deserializes untrusted data due to another vulnerability.
This issue is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.
Solution:Install the latest version:
- If you use Drupal 10.5.x, update to Drupal 10.5.9.
- If you use Drupal 10.6.x, update to Drupal 10.6.7.
- If you use Drupal 11.2.x, update to Drupal 11.2.11.
- If you use Drupal 11.3.x, update to Drupal 11.3.7.
Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By: Fixed By:- Benji Fisher (benjifisher) of the Drupal Security Team
- cilefen (cilefen) of the Drupal Security Team
- Neil Drumm (drumm) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Ra Mänd (ram4nd), provisional member of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001
Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which can lead to a cross-site scripting (XSS) vulnerability.
Solution:Install the latest version:
- If you use Drupal 10.5.x, update to Drupal 10.5.9.
- If you use Drupal 10.6.x, update to Drupal 10.6.7.
- If you use Drupal 11.2.x, update to Drupal 11.2.11.
- If you use Drupal 11.3.x, update to Drupal 11.3.7.
Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By: Fixed By:- Anna Kalata (akalata) of the Drupal Security Team
- Benji Fisher (benjifisher) of the Drupal Security Team
- Neil Drumm (drumm) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Michael Hess (mlhess) of the Drupal Security Team
- James Gilliland (neclimdul) of the Drupal Security Team
- Joseph Zhao (pandaski) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Ra Mänd (ram4nd), provisional member of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Pierre Rudloff (prudloff) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
Neue Kommentare
vor 1 Woche 3 Tagen
vor 1 Woche 5 Tagen
vor 1 Woche 6 Tagen
vor 2 Wochen 1 Tag
vor 5 Wochen 3 Tagen
vor 5 Wochen 3 Tagen
vor 5 Wochen 3 Tagen
vor 6 Wochen 5 Tagen
vor 7 Wochen 17 Stunden
vor 7 Wochen 2 Tagen