Vulners
Lucene search
Drupal 10.5.x < 10.5.12 / 10.6.x < 10.6.11 / 11.2.x < 11.2.14 / 11.3.x < 11.3.12 Multiple Vulnerabilities (drupal-2026-06-17)
| Reporter | Title | Published | Views | Family All 25 |
|---|---|---|---|---|
 | CVE-2026-55803 | 18 Jun 202613:15 | β | circl |
| CVE-2026-55804 | 18 Jun 202613:15 | β | circl |
| CVE-2026-55806 | 18 Jun 202613:15 | β | circl |
| CVE-2026-55807 | 18 Jun 202613:15 | β | circl |
| CVE-2026-55808 | 18 Jun 202613:15 | β | circl |
 | CVE-2026-55803 | 18 Jun 202613:15 | β | cve |
| CVE-2026-55804 | 18 Jun 202613:15 | β | cve |
| CVE-2026-55806 | 18 Jun 202613:15 | β | cve |
| CVE-2026-55807 | 18 Jun 202613:15 | β | cve |
| CVE-2026-55808 | 18 Jun 202613:15 | β | cve |
10
10
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(321519);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/18");
script_cve_id(
"CVE-2026-55803",
"CVE-2026-55804",
"CVE-2026-55806",
"CVE-2026-55807",
"CVE-2026-55808"
);
script_name(english:"Drupal 10.5.x < 10.5.12 / 10.6.x < 10.6.11 / 11.2.x < 11.2.14 / 11.3.x < 11.3.12 Multiple Vulnerabilities (drupal-2026-06-17)");
script_set_attribute(attribute:"synopsis", value:
"A PHP application running on the remote web server is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, the instance of Drupal running on the remote web server is 10.5.x prior to
10.5.12, 10.6.x prior to 10.6.11, 11.2.x prior to 11.2.14, or 11.3.x prior to 11.3.12. It is, therefore, affected by
multiple vulnerabilities.
- Drupal core contains a chain of methods that could be exploitable when an insecure deserialization
vulnerability exists on the site. This so-called gadget chain presents no direct threat, but is a vector
that can be used to achieve remote code execution or SQL injection if the application deserializes
untrusted data due to another vulnerability. This issue is not directly exploitable. This issue is
mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to
allow an attacker to pass unsafe input to unserialize(). (CVE-2026-55804)
- Drupal core ships a rebuild.php front controller that can be used to rebuild Drupal (clearing the caches
and rebuilding the container) when the site is in an unexpected condition. This script doesn't correctly
check the Host header against the list of trusted host patterns. This could result in cache poisoning or a
redirect to an attacker-controlled domain. (CVE-2026-55806)
- The JSON:API and REST modules allow you to upload image files to image fields. The validation rules check
the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to
upload a file that is not an image. Certain web-server configurations may serve the uploaded file with its
actual MIME type rather than an image type. This may lead to cross-site scripting (XSS) or other
unexpected behavior. (CVE-2026-55808)
- The Media module comes with support for oEmbed. The oEmbed specification contains two discovery
mechanisms, via providers.json and via URL discovery. The URL discovery code could be leveraged to trick
Drupal into making server-side requests to any URL. (CVE-2026-55807)
- SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web
services. The above fix did not cover all potential attack vectors for JSON:API. An attacker with
appropriate JSON:API write permission could potentially inject a malicious payload in certain rare
circumstances, potentially resulting in PHP Object Injection. This vulnerability is mitigated by the fact
that in order to be exploitable: A site must use an entity reference field type that stores a serialized
property. An attacker must have permission to write to the entity via JSON:API. No field type shipped with
Drupal core meets these criteria, and contributed or user-created field types that do appear to be
extremely unusual. This update protects all such fields; no changes are required in contributed modules.
JSON:API is read-only by default, so sites are only affected if they have enabled write access (either
through administrator configuration or the installation of a contributed or custom module that enables
write access). Drupal Steward protection: This issue is being protected by Drupal Steward. In this
instance, we believe that the WAF rule will provide mitigation for the common/obvious vulnerability paths,
but may not cover all cases or work for all hosting providers. Additionally, several other core security
advisories released today are not mitigated by Drupal Steward. Therefore, our recommended action is still
to plan an actual Drupal update within 24 hours of this release. (CVE-2026-55803)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/sa-core-2026-009");
script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/project/drupal/releases/10.5.12");
script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/project/drupal/releases/10.6.11");
script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/project/drupal/releases/11.2.14");
script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/project/drupal/releases/11.3.12");
script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/psa-2021-06-29");
script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/psa-2023-11-01");
script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/sa-core-2026-008");
# https://www.drupal.org/docs/getting-started/installing-drupal/trusted-host-settings
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?32ad7152");
script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/sa-core-2026-007");
script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/sa-core-2026-006");
script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/sa-core-2026-005");
script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/sa-core-2019-003");
script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/steward");
script_set_attribute(attribute:"solution", value:
"Upgrade to Drupal version 10.5.12 / 10.6.11 / 11.2.14 / 11.3.12 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-55804");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2026/06/17");
script_set_attribute(attribute:"patch_publication_date", value:"2026/06/17");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/18");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:drupal");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("drupal_detect.nasl");
script_require_keys("installed_sw/Drupal", "Settings/ParanoidReport");
script_require_ports("Services/www", 80, 443);
exit(0);
}
include('vcf.inc');
include('http.inc');
if (report_paranoia < 2) audit(AUDIT_PARANOID);
var port = get_http_port(default:80, php:TRUE);
var app_info = vcf::get_app_info(app:'Drupal', port:port, webapp:TRUE);
vcf::check_granularity(app_info:app_info, sig_segments:2);
var constraints = [
{ 'min_version' : '10.5.0', 'fixed_version' : '10.5.12' },
{ 'min_version' : '10.6.0', 'fixed_version' : '10.6.11' },
{ 'min_version' : '11.2.0', 'fixed_version' : '11.2.14' },
{ 'min_version' : '11.3.0', 'fixed_version' : '11.3.12' }
];
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE,
flags:{'sqli':TRUE, 'xss':TRUE}
);
Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Jun 2026 00:00Current
6.5Medium risk
Vulners AI Score6.5