DRUPAL-CONTRIB-2026-044

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/examples/DRUPAL-CONTRIB-2026-044.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-044

Aliases

CVE-2026-11909

Published

2026-06-10T17:07:55Z

Modified

2026-06-10T21:00:05.193991908Z

Summary

[none]

Details

The Examples for Developers project aims to provide high-quality, well-documented API examples for a broad range of Drupal core functionality.

The "Read from a file" feature implemented by the file_example submodule can be used to expose any file that PHP can access. Therefore, the file_example sub-module is being removed from Examples for Developers until a version demonstrating file security best practices can be added back in the future. Developers who based a new module on this example should review their code for an access bypass.

References

https://www.drupal.org/sa-contrib-2026-044

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/examples

Package

Name: drupal/examples
Purl: pkg:composer/drupal%2Fexamples

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

4.0.6

Database specific

{
    "constraint": "<4.0.6"
}

Database specific

affected_versions

"<4.0.6"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/examples/DRUPAL-CONTRIB-2026-044.json"