CVE-2026-6366

MEDIUM
Published May 19, 2026 Modified May 20, 2026 CWE-915

Description

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.

CVSS v3.1 Score

6.6
MEDIUM
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS — Exploit Prediction

0.0005
Probability of exploitation
0.16%
Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-915 CWE-915

Affected Products

Vendor Product
drupal drupal
drupal drupal
drupal drupal
drupal drupal

References

Frequently Asked Questions

What is CVE-2026-6366? +
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7. It has a CVSS v3.1 base score of 6.6 (MEDIUM).
How severe is CVE-2026-6366? +
CVE-2026-6366 has a CVSS v3.1 score of 6.6 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance. The EPSS score is 0.0005, placing it in the 0th percentile for exploitation probability.
What products are affected by CVE-2026-6366? +
CVE-2026-6366 affects products from drupal, specifically: drupal. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2026-6366? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-24370

Django-Unicorn adds modern reactive component functionality to Django templates. Affected versions of Django-Unicorn are vulnerable to python class pollution vulnerability. …
CVE-2025-2304

A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the …
CVE-2026-8327

Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller …
CVE-2026-46721

The create and edit flows do not restrict which user properties may be submitted and do not enforce access control …
CVE-2025-9315

An unauthenticated device registration vulnerability, caused by Improperly Controlled Modification of Dynamically-Determined Object Attributes, has been identified in the MXsecurity …
CVE-2025-58367

DeepDiff is a project focused on Deep Difference and search of any Python data. Versions 5.0.0 through 8.6.0 are vulnerable …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2026-6366 — free, no signup required.

Start Free Scan