CVE-2026-55808

Name of the Vulnerable Software and Affected Versions Drupal core (affected versions not specified)

Description The JSON:API and REST modules allow image file uploads to image fields. The validation rules verify the file extension but fail to check the file MIME type (Multipurpose Internet Mail Extensions), which is a standard used to identify the nature and format of a document. This flaw allows a malicious user to upload non-image files. Depending on the web-server configuration, these files may be served using their actual MIME type, potentially leading to cross-site scripting (XSS), where malicious scripts are injected into trusted websites, or other unexpected behavior.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.