PT-2026-28313 · Drupal · Drupal File (Field) Paths

Michael Hess

·

Publicado

2026-03-26

·

Atualizado

2026-03-26

·

CVE-2026-1556

CVSS v4.0

6.9

Média

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Drupal File (Field) Paths versions prior to 7.1.3
Description An information disclosure issue exists in the file URI processing of File (Field) Paths in Drupal. Authenticated users can potentially disclose other users’ private files through filename-collision uploads. This can occur when consumers of hook node insert()—such as email attachment modules—receive an incorrect file URI, bypassing normal access controls on private files.
Recommendations Update Drupal File (Field) Paths to version 7.1.3 or later.

Exploit

Correção

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200

Identificadores relacionados

CVE-2026-1556

Produtos afetados

Drupal File (Field) Paths