CVE-2026-6366

CVE-2026-6366: Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002

Vendor Drupal

Product Drupal core

Weakness CWE-915

Published May 19, 2026

Last update May 21, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.

Key dates

Disclosure timeline

May 19, 2026 CVE published

May 21, 2026 Record updated

Identifiers

CVE CVE-2026-6366

CWE CWE-915

Affected versions

Vendor Drupal

Product Drupal core

Affected ≥ 8.0.0 and < 10.5.9

Vendor Drupal

Product Drupal core

Affected ≥ 10.6.0 and < 10.6.7

Vendor Drupal

Product Drupal core

Affected ≥ 11.0.0 and < 11.2.11

Vendor Drupal

Product Drupal core

Affected ≥ 11.3.0 and < 11.3.7