CVE-2026-6366

Name of the Vulnerable Software and Affected Versions Drupal core versions 8.0.0 through 10.5.8 Drupal core versions 10.6.0 through 10.6.6 Drupal core versions 11.0.0 through 11.2.10 Drupal core versions 11.3.0 through 11.3.6

Description Drupal core allows Object Injection due to improperly controlled modification of dynamically-determined object attributes. This issue involves a gadget chain—a sequence of existing code fragments—that can be leveraged to achieve remote code execution or SQL injection if the application deserializes untrusted data via the unserialize() function due to a separate vulnerability. This issue is not directly exploitable on its own.

Recommendations Update versions 8.0.0 through 10.5.8 to 10.5.9. Update versions 10.6.0 through 10.6.6 to 10.6.7. Update versions 11.0.0 through 11.2.10 to 11.2.11. Update versions 11.3.0 through 11.3.6 to 11.3.7.