DRUPAL-CONTRIB-2026-064

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/tealiumiq/DRUPAL-CONTRIB-2026-064.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-064

Aliases

CVE-2026-13244

Published

2026-06-26T15:27:49Z

Modified

2026-06-27T19:30:05.781218550Z

Summary

[none]

Details

The Tealium iQ Tag Management module provides Drupal integration with Tealium iQ.

tealiumiq stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an Object Injection vulnerability when the data are unserialized.

This vulnerability is mitigated by the fact that an attacker must have permission to edit a content entity with an attached tealiumiq field. In addition, the core jsonapi module must be enabled with the option "Accept all JSON:API create, read, update, and delete operations", which is not the default, or the attacker needs some other way to edit field values directly.

Note: This project was marked as Unsupported by the Drupal Security Team on 2026-06-24 but a fix was released and the project restored on 2026-06-26.

References

https://www.drupal.org/sa-contrib-2026-064

Credits

- Drew Webber (mcdruid)
- - https://www.drupal.org/u/mcdruid

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/tealiumiq

Package

Name: drupal/tealiumiq
Purl: pkg:composer/drupal%2Ftealiumiq

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

2.4.0

Database specific

{
    "constraint": "<2.4.0"
}

Database specific

affected_versions

"<2.4.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/tealiumiq/DRUPAL-CONTRIB-2026-064.json"