CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Drupal core - Critical - PHP object injection - SA-CORE-2026-005

criticalCVE-2026-55803
Project: Drupal core Date: 2026-June-17 Security risk: Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon Vulnerability: PHP object injection Affected versions: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.* CVE IDs: CVE-2026-55803 Description: SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web services. The above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain rare circumstances, potentially resulting in PHP Object Injection. This vulnerability is mitigated by the fact that in order to be exploitable: A site must use an entity reference field type that stores a serialized property. An attacker must have permission to write to the entity via JSON:API. No field type shipped with Drupal core meets these criteria, and contributed or user-created field types that do appear to be extremely unusual. This update protects all such fields; no changes are required in contributed modules. JSON:API is read-only by default, so sites are only affected if they have enabled write access (either through administrator configuration or the installation of a contributed or custom module that enables write access). Drupal Steward protection: This issue is being protected by Drupal Steward . In this instance, we believe that the WAF rule will provide mitigation for the common/obvious vulnerability paths, but may not cover all cases or work for all hosting providers. Additionally, several other core security advisories released today are not mitigated by Drupal Steward. Therefore, our recommended action is still to plan an actual Drupal update within 24 hours of this release. Solution: Install the latest version: Drupal 11 If you use Drupal 11.3.x, update to Drupal 11.3.12 . If you use Drupal 11.2.x, update to Drupal 11.2.14 . Drupal 10 If you use

CSIRTS triage

vendor: Drupalproduct: Drupal coreOtheraffected: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.*
What
PHP object injection vulnerability due to insufficient protection for serialized data.
Who is affected
Users of affected Drupal core versions.
Urgency
Critical remediation is needed due to the severity of the vulnerability.
Action
Update to the latest version of Drupal or the specified versions.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch Drupal core

Get an email when a new Drupal core advisory drops — max one per day, one-click unsubscribe.

Details

Source
Drupal Security Advisories (INTL · vendor-psirt · site)
Severity
critical
Published
2026-06-17
Exploitation
Not in CISA KEV at last sync

Original advisory: https://www.drupal.org/sa-core-2026-005

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-55803coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

Recent advisories for Drupal core -

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from Drupal Security Advisories