PT-2026-60353 · Packagist · Drupal Core

CVE-2026-15916

·

Published

2026-07-15

·

Updated

2026-07-15

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
The Image module allows you to define and configure image fields.
The module doesn't sufficiently check access to image style derivatives when those files are served via a file stream other than private://.
This vulnerability is mitigated by the fact that Drupal must be configured to use a contributed (non-core) file scheme to serve private derived images.
Information disclosure issues like this one are not generally given security advisories (as described in PSA-2023-07-12)). This fix is provided as a hardening. Contributed modules implementing custom stream wrappers may need to add similar hardenings.
Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

CVE-2026-15916
DRUPAL-CORE-2026-010

Affected Products

Drupal Core