CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-55803

criticalcovered by 3 sourcesfirst seen 2026-06-17
Project: Drupal core Date: 2026-June-17 Security risk: Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon Vulnerability: PHP object injection Affected versions: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.* CVE IDs: CVE-2026-55803 Description: SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web services. The above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain rare circumstances, potentially resulting in PHP Object Injection. This vulnerability is mitigated by the fact that in order to be exploitable: A site must use an entity reference field type that stores a serialized property. An attacker must have permission to write to the entity via JSON:API. No field type shipped with Drupal core meets these criteria, and contributed or user-created field types that do appear to be extremely unusual. This update protects all such fields; no changes are required in contributed modules. JSON:API is read-only by default, so sites are only affected if they have enabled write access (either through administrator configuration or the installation of a contributed or custom module that enables write access). Drupal Steward protection: This issue is being protected by Drupal Steward . In this instance, we believe that the WAF rule will provide mitigation for the common/obvious vulnerability paths, but may not cover all cases or work for all hosting providers. Additionally, several other core security advisories released today are not mitigated by Drupal Steward. Therefore, our recommended action is still to plan an actual Drupal update within 24 hours of this release. Solution: Install the latest version: Drupal 11 If you use Drupal 11.3.x, update to Drupal 11.3.12 . If you use Drupal 11.2.x, update to Drupal 11.2.14 . Drupal 10 If you use

CSIRTS triage

What
Multiple vulnerabilities have been identified in Drupal.
Who is affected
Users of Drupal.
Urgency
Remediation is important to maintain security.
Action
Monitor for updates regarding the vulnerabilities in Drupal.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-55803

Get an email if CVE-2026-55803 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (3)

External references

NVD record for CVE-2026-55803

CVE.org record

Embed the live status

CVE-2026-55803 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-55803 status](https://www.csirts.com/badge/CVE-2026-55803)](https://www.csirts.com/cve/CVE-2026-55803)