Medium severity6.6NVD Advisory· Published May 19, 2026· Updated May 20, 2026
CVE-2026-6366
CVE-2026-6366
Description
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.
This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.0.0, < 10.5.9 | 10.5.9 |
drupal/corePackagist | >= 10.6.0, < 10.6.7 | 10.6.7 |
drupal/corePackagist | >= 11.0.0, < 11.2.11 | 11.2.11 |
drupal/corePackagist | >= 11.3.0, < 11.3.7 | 11.3.7 |
Affected products
4- Range: >=8.0.0, <10.5.9 || >=10.6.0, <10.6.7 || >=11.0.0, <11.2.11 || >=11.3.0, <11.3.7
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-xmjc-63pr-2mpgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-6366ghsaADVISORY
- www.drupal.org/sa-core-2026-002nvdVendor AdvisoryWEB
News mentions
1- Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002Drupal Security Advisories · Apr 15, 2026