PT-2026-60353 · Packagist · Drupal Core
CVE-2026-15916
·
Published
2026-07-15
·
Updated
2026-07-15
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
The Image module allows you to define and configure image fields.
The module doesn't sufficiently check access to image style derivatives when those files are served via a file stream other than
private://.This vulnerability is mitigated by the fact that Drupal must be configured to use a contributed (non-core) file scheme to serve private derived images.
Information disclosure issues like this one are not generally given security advisories (as described in PSA-2023-07-12)). This fix is provided as a hardening. Contributed modules implementing custom stream wrappers may need to add similar hardenings.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Drupal Core