CVEFinder.io

CVE-2026-6366

πŸ”Ά medium
πŸ” Scan for this CVE
Summary

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.

CVSS Score
6.6
Medium
EPSS Score
0.1
Exploit Probability
Published Date
2026-05-19
First Seen: 2026-05-20
πŸ“Š Relative Risk Intelligence

This CVE is Lower Risk - more severe than 48.1% of all 325,680 vulnerabilities in our database.

#169,109
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Apr 30, 2026
πŸ” Exploitation Status
None
No known exploits
βš™οΈ Automatable
NO
Requires human interaction
πŸ’₯ Technical Impact
Total
Complete system compromise possible
πŸ† Discovered By
Truong Le (hswww) menon t-chen Benji Fisher (benjifisher) (remediation developer) cilefen (cilefen) (remediation developer) Neil Drumm (drumm) (remediation developer) Greg Knaddison (greggles) (remediation developer) Lee Rowlands (larowlan) (remediation developer) Dave Long (longwave) (remediation developer) Drew Webber (mcdruid) (remediation developer) Ra MÀnd (ram4nd) (remediation developer) Jess (xjm) (remediation developer) Greg Knaddison (greggles) (coordinator) Lee Rowlands (larowlan) (coordinator) Dave Long (longwave) (coordinator) Drew Webber (mcdruid) (coordinator) Juraj Nemec (poker10) (coordinator) Jess (xjm) (coordinator)
SSVC data provided by CISA
Last Modified 2026-05-20
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-915

πŸ“¦ Affected Products 4

Vendor Product Status Affected Versions
drupal drupal Affected
> 8.0.0 < 10.5.9
drupal drupal Affected
> 10.6.0 < 10.6.7
drupal drupal Affected
> 11.0.0 < 11.2.11
drupal drupal Affected
> 11.3.0 < 11.3.7

πŸ”— References 1

https://www.drupal.org/sa-core-2026-002
Vendor Advisory

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-9082 β›” critical 9.8 34.2 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core... 2026-05-20
CVE-2026-6365 πŸ”Ά medium 6.1 0.0 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core... 2026-05-19
CVE-2026-6367 πŸ”Ά medium 6.1 0.0 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core... 2026-05-19
CVE-2025-13080 πŸ”Ά medium 5.3 0.1 Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This i... 2025-11-18
CVE-2025-13081 πŸ”Ά medium 5.9 0.2 Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow... 2025-11-18
CVE-2025-13082 πŸ”Ά medium 4.3 0.1 User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofin... 2025-11-18
These CVEs affect the same products