—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Drupal

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Formatter Field module versions prior to 2.0.0

Flag attendance field module versions prior to 1.2

Plotly.js Graphing module versions prior to 3.0.2

Overview

Multiple vulnerabilities have been reported in Drupal modules, which could allow attackers to perform PHP object injection on the targeted system.

Target Audience:

All end-user organizations and individuals using Drupal modules.

Risk Assessment:

Risk of PHP object injection, unauthorized access and system compromise.

Impact Assessment:

Potential for unauthorized access, execution of arbitrary code, sensitive information disclosure and potential compromise of system.

Description

Drupal is an open-source Content Management System (CMS) which allows individuals and organizations to create, manage and maintain websites and web applications.

Multiple vulnerabilities exist in Drupal modules due to insecure deserialization of PHP-serialized data. The affected modules Formatter Field, Flag attendance field, and Plotly.js Graphing store certain field data as PHP-serialized strings, which may allow malicious serialized data to be processed during deserialization, resulting in PHP object injection.

Successful exploitation of these vulnerabilities could allow an attacker to perform PHP object injection on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://www.drupal.org/sa-contrib-2026-048

https://www.drupal.org/sa-contrib-2026-049

https://www.drupal.org/sa-contrib-2026-050

Vendor Information

Drupal

https://www.drupal.org/sa-contrib-2026-048

https://www.drupal.org/sa-contrib-2026-049

https://www.drupal.org/sa-contrib-2026-050

References

Drupal

https://www.drupal.org/sa-contrib-2026-048

https://www.drupal.org/sa-contrib-2026-049

https://www.drupal.org/sa-contrib-2026-050

CVE Name

CVE-2026-12535

CVE-2026-55809

CVE-2026-55810

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmpD1IAACgkQ3jCgcSdc

ys/Xow//cAg8kjtJja7/JRmYiHKVzRy7V7o71rGdPyOcD/WuQcDZKosrDSh1k2kp

0+TknvxXofk6+dlu1HdN0iGUWj3HDB4rJzjvyDdsLdm3T5JFX/PXSi+kc9XVkZmN

2atWLBYAP+mIlbfQPCL25Wc+NT4yGkGhF5qCjM7Llt1Now0KVfVDBCOUqS6jSG+f

50CPpvbqWs/o0kv9sJeD+AXeptggtsCoYn6nVlKPa7vpqn445xMM0Q3H8m4VoUrZ

tbMu+MH4EUIPbfM8UpU1ce8Ped0dqf5nILnsDVfLpr9WvzshNiOOWTo616Tvx2n6

E1SVhtHci99z8OEpPIqHquKr8PaOL7XOWuZd+36gtQ6z7gj/C3K2HVbh+Acq4jlZ

G8gkZ5b4QVDQ30ku1YBYuVKc5WjSvzyf+nppNeiZ+aj7XTiBQySaCc/YOEVt2m9U

Jmb5F6oTlB54khRgx88pfWdKo0NtTK65Mtn8eIe5Eyy4F9xg5g6J8TnO86CkbYb7

kWGUztsOHtxnSUCFnIbQ+DxERP/9lcLPk+9nX3r8N8KwOWgSH1tQ+nxl+T5NExPT

M5+es0aTYzhDF6bc2SMg934HX3WDipJLeCCfBs/xjGCP8Hdby9JV5RZZX9XCQhUU

m5xz2Xvyql++InGFNxdPuNkjck2lUzUcGEjAGmtjAvsUw4P5pkE=

=sX9b

—–END PGP SIGNATURE—–