Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN651
_____________________________________________________________________

DATE                : 18/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Drupal core versions prior to
                         10.5.12, 10.6.11, 11.2.14, 11.3.12.

=====================================================================
https://www.drupal.org/sa-core-2026-005
https://www.drupal.org/sa-core-2026-006
https://www.drupal.org/sa-core-2026-008
https://www.drupal.org/sa-core-2026-009
_____________________________________________________________________

Drupal core - Critical - PHP object injection - SA-CORE-2026-005
Project: Drupal core
Date: 2026-June-17
Security risk: 
Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon
Vulnerability: PHP object injection
Affected versions: 
<10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12
|| 11.0.* || 11.1.*
CVE IDs: CVE-2026-55803


Description: 

SA-CORE-2019-003 added protection for fields that store serialized
data to disallow direct writes via web services.

The above fix did not cover all potential attack vectors for
JSON:API. An attacker with appropriate JSON:API write permission
could potentially inject a malicious payload in certain rare
circumstances, potentially resulting in PHP Object Injection.

This vulnerability is mitigated by the fact that in order to be
exploitable:

    A site must use an entity reference field type that stores a
serialized property.
    An attacker must have permission to write to the entity via
JSON:API.

No field type shipped with Drupal core meets these criteria, and
contributed or user-created field types that do appear to be
extremely unusual. This update protects all such fields; no
changes are required in contributed modules.

JSON:API is read-only by default, so sites are only affected if
they have enabled write access (either through administrator
configuration or the installation of a contributed or custom
module that enables write access).


Drupal Steward protection:

This issue is being protected by Drupal Steward. In this
instance, we believe that the WAF rule will provide mitigation
for the common/obvious vulnerability paths, but may not cover
all cases or work for all hosting providers. Additionally,
several other core security advisories released today are
not mitigated by Drupal Steward. Therefore, our recommended
action is still to plan an actual Drupal update within
24 hours of this release.


Solution: 

Install the latest version:

Drupal 11

    If you use Drupal 11.3.x, update to Drupal 11.3.12.
    If you use Drupal 11.2.x, update to Drupal 11.2.14.

Drupal 10

    If you use Drupal 10.6.x, update to Drupal 10.6.11.
    If you use Drupal 10.5.x, update to Drupal 10.5.12.

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are
end-of-life and do not receive security coverage. (Drupal 8
and Drupal 9 have both reached end-of-life.)


Reported By: 

    Michael Maturi (michaelmaturi) 

Fixed By: 

    Björn Brala (bbrala)
    Sascha Grossenbacher (berdir)
    Lee Rowlands (larowlan) of the Drupal Security Team
    Dave Long (longwave) of the Drupal Security Team
    Drew Webber (mcdruid) of the Drupal Security Team 

Coordinated By: 

    Anna Kalata (akalata) of the Drupal Security Team
    Benji Fisher (benjifisher) of the Drupal Security Team
    Damien McKenna (damienmckenna) of the Drupal Security Team
    David Strauss (david strauss) of the Drupal Security Team
    Neil Drumm (drumm) of the Drupal Security Team
    Greg Knaddison (greggles) of the Drupal Security Team
    Tim Hestenes Lehnen (hestenet)
    Lee Rowlands (larowlan) of the Drupal Security Team
    Dave Long (longwave) of the Drupal Security Team
    Drew Webber (mcdruid) of the Drupal Security Team
    Juraj Nemec (poker10) of the Drupal Security Team
    Ra Mänd (ram4nd) provisional member of the Drupal Security Team
    Jess (xjm) of the Drupal Security Team 
_____________________________________________________________________

Drupal core - Moderately critical - Gadget chain - SA-CORE-2026-006
Project: Drupal core
Date: 2026-June-17
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon
Vulnerability: Gadget chain
Affected versions: 
<10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 ||
>=11.3.0 <11.3.12 || 11.0.* || 11.1.*
CVE IDs: CVE-2026-55804

Description: 

Drupal core contains a chain of methods that could be exploitable
when an insecure deserialization vulnerability exists on the site.
This so-called "gadget chain" presents no direct threat, but is a
vector that can be used to achieve remote code execution or SQL
injection if the application deserializes untrusted data due to
another vulnerability.

This issue is not directly exploitable.

This issue is mitigated by the fact that in order for it to be
exploitable, a separate vulnerability must be present to allow
an attacker to pass unsafe input to unserialize().

Solution: 

Install the latest version:

Drupal 11

    If you use Drupal 11.3.x, update to Drupal 11.3.12.
    If you use Drupal 11.2.x, update to Drupal 11.2.14.

Drupal 10

    If you use Drupal 10.6.x, update to Drupal 10.6.11.
    If you use Drupal 10.5.x, update to Drupal 10.5.12.

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are
end-of-life and do not receive security coverage. (Drupal 8
and Drupal 9 have both reached end-of-life.)

Reported By: 

    Michael Maturi (michaelmaturi) 

Fixed By: 

    Lee Rowlands (larowlan) of the Drupal Security Team
    Drew Webber (mcdruid) of the Drupal Security Team
    Mohit Aghera (mohit_aghera) 

Coordinated By: 

    Anna Kalata (akalata) of the Drupal Security Team
    Benji Fisher (benjifisher) of the Drupal Security Team
    cilefen (cilefen) of the Drupal Security Team
    Greg Knaddison (greggles) of the Drupal Security Team
    Lee Rowlands (larowlan) of the Drupal Security Team
    Dave Long (longwave) of the Drupal Security Team
    Drew Webber (mcdruid) of the Drupal Security Team
    Juraj Nemec (poker10) of the Drupal Security Team
    Jess (xjm) of the Drupal Security Team 

_____________________________________________________________________

Drupal core - Moderately critical - Server-side request forgery -
SA-CORE-2026-008

Project: Drupal core
Date: 2026-June-17
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default
Vulnerability: Server-side request forgery
Affected versions: 
<10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 ||
>=11.3.0 <11.3.12 || 11.0.* || 11.1.*
CVE IDs: CVE-2026-55807

Description: 

The Media module comes with support for oEmbed. The oEmbed specification
contains two discovery mechanisms, via providers.json and via URL
discovery.

The URL discovery code could be leveraged to trick Drupal into making
server-side requests to any URL.


Solution: 

Install the latest version:

Drupal 11

    If you use Drupal 11.3.x, update to Drupal 11.3.12.
    If you use Drupal 11.2.x, update to Drupal 11.2.14.

Drupal 10

    If you use Drupal 10.6.x, update to Drupal 10.6.11.
    If you use Drupal 10.5.x, update to Drupal 10.5.12.

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are
end-of-life and do not receive security coverage. (Drupal 8
and Drupal 9 have both reached end-of-life.)

Required site changes for URL discovery

Most users of the oEmbed functionality in Drupal likely use
providers.json to define known providers (such as YouTube
and Vimeo) for embedding content.

If you are using URL discovery, you now need to set a list
of trusted oEmbed discovery hosts in settings.php.

This is an array containing a series of regular expressions
for matching host names for discovery. It follows the same
pattern as the existing trusted hosts settings.

Example:

// Only allow URL discovery from example.com.
$settings['media_oembed_discovery_trusted_host_patterns'] = [
  '^example\.com$',
];

Reported By: 

    Hamed Kohi (0xhamy)
    assaf alassaf (ama62)
    Albert Skibinski (askibinski)
    Jon Minder (ayalon)
    Lautaro Casanova (betah4k)
    Gabe Sullice (gabesullice)
    John Morahan (john morahan)
    Michael Winser (michaelwinser)
    nbanderson
    offensive-ai
    Francesco Placella (plach)
    quynh ho (qquynh)
    Himanshu Anand (unknownhad) 

Fixed By: 

    Lee Rowlands (larowlan) of the Drupal Security Team
    Dave Long (longwave) of the Drupal Security Team
    Drew Webber (mcdruid) of the Drupal Security Team
    Adam G-H (phenaproxima)
    Sean Blommaert (seanb) 

Coordinated By: 

    Benji Fisher (benjifisher) of the Drupal Security Team
    cilefen (cilefen) of the Drupal Security Team
    Damien McKenna (damienmckenna) of the Drupal Security Team
    Mori Sugimoto (dokumori) of the Drupal Security Team
    Greg Knaddison (greggles) of the Drupal Security Team
    Lee Rowlands (larowlan) of the Drupal Security Team
    Dave Long (longwave) of the Drupal Security Team
    Drew Webber (mcdruid) of the Drupal Security Team
    James Gilliland (neclimdul) of the Drupal Security Team
    Juraj Nemec (poker10) of the Drupal Security Team
    Jess (xjm) of the Drupal Security Team 
_____________________________________________________________________

Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009
Project: Drupal core
Date: 2026-June-17
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon
Vulnerability: Improper validation
Affected versions: 
<10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 ||
>=11.3.0 <11.3.12 || 11.0.* || 11.1.*
CVE IDs: CVE-2026-55808


Description: 

The JSON:API and REST modules allow you to upload image files to
image fields.

The validation rules check the file extension of the uploaded file
but not the file MIME type. This may allow a malicious user to
upload a file that is not an image.

Certain web-server configurations may serve the uploaded file with
its actual MIME type rather than an image type. This may lead to
cross-site scripting (XSS) or other unexpected behavior.


Solution: 

Install the latest version:

Drupal 11

    If you use Drupal 11.3.x, update to Drupal 11.3.12.
    If you use Drupal 11.2.x, update to Drupal 11.2.14.

Drupal 10

    If you use Drupal 10.6.x, update to Drupal 10.6.11.
    If you use Drupal 10.5.x, update to Drupal 10.5.12.

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are
end-of-life and do not receive security coverage. (Drupal 8
and Drupal 9 have both reached end-of-life.)


Reported By: 

    cantina_security 

Fixed By: 

    Björn Brala (bbrala)
    Kim Pepper (kim.pepper)
    Lee Rowlands (larowlan) of the Drupal Security Team 

Coordinated By: 

    Damien McKenna (damienmckenna) of the Drupal Security Team
    Greg Knaddison (greggles) of the Drupal Security Team
    Lee Rowlands (larowlan) of the Drupal Security Team
    Dave Long (longwave) of the Drupal Security Team
    Juraj Nemec (poker10) of the Drupal Security Team
    Jess (xjm) of the Drupal Security Team 

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================