Drupal core - Highly critical - Remote Code Execution
Description
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.6.0, < 8.6.10 | 8.6.10 |
drupal/corePackagist | >= 7.0.0, < 7.62.0 | 7.62.0 |
drupal/corePackagist | >= 8.0.0, < 8.5.11 | 8.5.11 |
drupal/drupalPackagist | >= 7.0.0, < 7.62.0 | 7.62.0 |
drupal/drupalPackagist | >= 8.0.0, < 8.5.11 | 8.5.11 |
drupal/drupalPackagist | >= 8.6.0, < 8.6.10 | 8.6.10 |
Affected products
3- ghsa-coords2 versions
>= 8.6.0, < 8.6.10+ 1 more
- (no CPE)range: >= 8.6.0, < 8.6.10
- (no CPE)range: >= 7.0.0, < 7.62.0
- Range: 8.5
Patches
Vulnerability mechanics
References
14- www.exploit-db.com/exploits/46452/mitreexploitx_refsource_EXPLOIT-DB
- www.exploit-db.com/exploits/46459/mitreexploitx_refsource_EXPLOIT-DB
- www.exploit-db.com/exploits/46510/mitreexploitx_refsource_EXPLOIT-DB
- github.com/advisories/GHSA-3gx6-h57h-rm27ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-6340ghsaADVISORY
- www.securityfocus.com/bid/107106mitrevdb-entryx_refsource_BID
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6340.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6340.yamlghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
- www.drupal.org/sa-core-2019-003ghsax_refsource_CONFIRMWEB
- www.exploit-db.com/exploits/46452ghsaWEB
- www.exploit-db.com/exploits/46459ghsaWEB
- www.exploit-db.com/exploits/46510ghsaWEB
- www.synology.com/security/advisory/Synology_SA_19_09ghsax_refsource_CONFIRMWEB
News mentions
1- CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)Tenable Blog · May 21, 2026