Drupal 11.2.x < 11.2.14 Multiple Vulnerabilities

medium Web App Scanning Plugin ID 115310

Synopsis

Drupal 11.2.x < 11.2.14 Multiple Vulnerabilities

Description

According to its self-reported version number, the detected Drupal application is affected by multiple vulnerabilities:

- A PHP object injection vulnerability exists in JSON:API where an attacker with write permissions could inject a malicious payload in certain circumstances when entity reference fields store serialized properties, potentially resulting in PHP object injection. (CVE-2026-55803)

- Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site, which an attacker could leverage to achieve remote code execution or other attacks if the application deserializes untrusted data. (CVE-2026-55804)

- The rebuild.php front controller fails to properly validate the Host header against trusted host patterns, potentially enabling cache poisoning or open redirects to attacker-controlled domains. (CVE-2026-55806)

- The Media module's oEmbed URL discovery mechanism can be exploited to trick Drupal into making server-side requests to arbitrary URLs, resulting in server-side request forgery (SSRF). (CVE-2026-55807)

- The JSON:API and REST modules validate file extensions but not MIME types during image uploads, potentially allowing files to be served with unexpected MIME types and enabling cross-site scripting (XSS) or other unexpected behavior on misconfigured servers. (CVE-2026-55808)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update to Drupal version 11.2.14 or latest.

See Also

https://www.drupal.org/project/drupal/releases/11.2.14

https://www.drupal.org/sa-core-2026-005

https://www.drupal.org/sa-core-2026-006

https://www.drupal.org/sa-core-2026-007

https://www.drupal.org/sa-core-2026-008

https://www.drupal.org/sa-core-2026-009

Plugin Details

Severity: Medium

ID: 115310

Type: Version Based

Published: 7/17/2026

Updated: 7/17/2026

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

Percentile: 96.77

CVSS v2

Risk Factor: Medium

Base Score: 6.2

Vector: CVSS2#AV:N/AC:H/Au:M/C:C/I:C/A:N

CVSS Score Source: CVE-2026-55803

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

CVSS Score Source: CVE-2026-55803

Vulnerability Information

CPE: cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 5/31/2026

Reference Information

CVE: CVE-2026-55803, CVE-2026-55804, CVE-2026-55806, CVE-2026-55807, CVE-2026-55808

CWE: 601, 79, 915, 918

OWASP: 2010-A1, 2010-A10, 2010-A2, 2010-A6, 2013-A1, 2013-A10, 2013-A3, 2013-A5, 2013-A9, 2017-A1, 2017-A6, 2017-A7, 2017-A9, 2021-A1, 2021-A10, 2021-A3, 2021-A6, 2021-A8, 2025-A1, 2025-A5, 2025-A6, 2025-A8

WASC: Application Misconfiguration, Cross-Site Scripting, Improper Input Handling, URL Redirector Abuse

CAPEC: 209, 588, 591, 592, 63, 85

DISA STIG: APSC-DV-002490, APSC-DV-002560, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(e)

ISO: 27001-A.13.1.3, 27001-A.13.2.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5

NIST: sp800_53-AC-4, sp800_53-CM-6b, sp800_53-SI-10

OWASP API: 2019-API7, 2019-API8, 2023-API3, 2023-API7, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.1.2, 4.0.2-5.1.5, 4.0.2-5.2.6, 4.0.2-5.3.3

PCI-DSS: 3.2-6.2, 3.2-6.5.1, 3.2-6.5.7, 3.2-6.5.8, 3.2-6.5.9