CVE-2026-55807

Name of the Vulnerable Software and Affected Versions Drupal core (affected versions not specified)

Description The Media module supports oEmbed, which utilizes two discovery mechanisms: providers.json and URL discovery. The URL discovery code can be exploited to trick the system into making unauthorized server-side requests to any arbitrary URL. This is a Server-Side Request Forgery (SSRF), a flaw where an attacker can force a server to send requests to an unintended location.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.