CVE-2026-15916

high

Description

The Image module allows you to define and configure image fields. The module doesn't sufficiently check access to image style derivatives when those files are served via a file stream other than private://. This vulnerability is mitigated by the fact that Drupal must be configured to use a contributed (non-core) file scheme to serve private derived images. Information disclosure issues like this one are not generally given security advisories (as described in PSA-2023-07-12)). This fix is provided as a hardening. Contributed modules implementing custom stream wrappers may need to add similar hardenings.

References

https://www.drupal.org/sa-core-2026-010

Details

Source: Mitre, NVD

Published: 2026-07-15

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High