CVE-2026-13244

The Tealium iQ Tag Management module provides Drupal integration with Tealium iQ.

tealiumiq stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an Object Injection vulnerability when the data are unserialized.

This vulnerability is mitigated by the fact that an attacker must have permission to edit a content entity with an attached tealiumiq field. In addition, the core jsonapi module must be enabled with the option "Accept all JSON:API create, read, update, and delete operations", which is not the default, or the attacker needs some other way to edit field values directly.

Note: This project was marked as Unsupported by the Drupal Security Team on 2026-06-24 but a fix was released and the project restored on 2026-06-26.