DRUPAL-CORE-2026-008

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2026-008.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CORE-2026-008
Aliases
  • CVE-2026-55807
Published
2026-06-17T18:57:49Z
Modified
2026-06-17T19:41:28.520824Z
Summary
[none]
Details

The Media module comes with support for oEmbed. The oEmbed specification contains two discovery mechanisms, via providers.json and via URL discovery.

The URL discovery code could be leveraged to trick Drupal into making server-side requests to any URL.

References
Credits

Affected packages

Packagist / drupal/core

Package

Name
drupal/core
Purl
pkg:composer/drupal%2Fcore

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.5.12
Database specific 
{
    "constraint": "<10.5.12"
}
Type
ECOSYSTEM
Events
Introduced
10.6.0
Fixed
10.6.11
Database specific 
{
    "constraint": ">=10.6.0 <10.6.11"
}
Type
ECOSYSTEM
Events
Introduced
11.2.0
Fixed
11.2.14
Database specific 
{
    "constraint": ">=11.2.0 <11.2.14"
}
Type
ECOSYSTEM
Events
Introduced
11.3.0
Fixed
11.3.12
Database specific 
{
    "constraint": ">=11.3.0 <11.3.12"
}
Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
11.1.0
Database specific 
{
    "constraint": "11.0.*"
}
Type
ECOSYSTEM
Events
Introduced
11.1.0
Fixed
11.2.0
Database specific 
{
    "constraint": "11.1.*"
}

Affected versions

8.*
8.0.0-beta6
8.0.0-beta7
8.0.0-beta8
8.0.0-beta9
8.0.0-beta10
8.0.0-beta11
8.0.0-beta12
8.0.0-beta13
8.0.0-beta14
8.0.0-beta15
8.0.0-beta16
8.0.0-rc1
8.0.0-rc2
8.0.0-rc3
8.0.0-rc4
8.0.0
8.0.1
8.0.2
8.0.3
8.0.4
8.0.5
8.0.6
8.1.0-beta1
8.1.0-beta2
8.1.0-rc1
8.1.0
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5
8.1.6
8.1.7
8.1.8
8.1.9
8.1.10
8.2.0-beta1
8.2.0-beta2
8.2.0-beta3
8.2.0-rc1
8.2.0-rc2
8.2.0
8.2.1
8.2.2
8.2.3
8.2.4
8.2.5
8.2.6
8.2.7
8.2.8
8.3.0-alpha1
8.3.0-beta1
8.3.0-rc1
8.3.0-rc2
8.3.0
8.3.1
8.3.2
8.3.3
8.3.4
8.3.5
8.3.6
8.3.7
8.3.8
8.3.9
8.4.0-alpha1
8.4.0-beta1
8.4.0-rc1
8.4.0-rc2
8.4.0
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.4.6
8.4.7
8.4.8
8.5.0-alpha1
8.5.0-beta1
8.5.0-rc1
8.5.0
8.5.1
8.5.2
8.5.3
8.5.4
8.5.5
8.5.6
8.5.7
8.5.8
8.5.9
8.5.10
8.5.11
8.5.12
8.5.13
8.5.14
8.5.15
8.6.0-alpha1
8.6.0-beta1
8.6.0-beta2
8.6.0-rc1
8.6.0
8.6.1
8.6.2
8.6.3
8.6.4
8.6.5
8.6.6
8.6.7
8.6.8
8.6.9
8.6.10
8.6.11
8.6.12
8.6.13
8.6.14
8.6.15
8.6.16
8.6.17
8.6.18
8.7.0-alpha1
8.7.0-alpha2
8.7.0-beta1
8.7.0-beta2
8.7.0-rc1
8.7.0
8.7.1
8.7.2
8.7.3
8.7.4
8.7.5
8.7.6
8.7.7
8.7.8
8.7.9
8.7.10
8.7.11
8.7.12
8.7.13
8.7.14
8.8.0-alpha1
8.8.0-beta1
8.8.0-rc1
8.8.0
8.8.1
8.8.2
8.8.3
8.8.4
8.8.5
8.8.6
8.8.7
8.8.8
8.8.9
8.8.10
8.8.11
8.8.12
8.9.0-beta1
8.9.0-beta2
8.9.0-beta3
8.9.0-rc1
8.9.0
8.9.1
8.9.2
8.9.3
8.9.4
8.9.5
8.9.6
8.9.7
8.9.8
8.9.9
8.9.10
8.9.11
8.9.12
8.9.13
8.9.14
8.9.15
8.9.16
8.9.17
8.9.18
8.9.19
8.9.20
9.*
9.0.0-alpha1
9.0.0-alpha2
9.0.0-beta1
9.0.0-beta2
9.0.0-beta3
9.0.0-rc1
9.0.0
9.0.1
9.0.2
9.0.3
9.0.4
9.0.5
9.0.6
9.0.7
9.0.8
9.0.9
9.0.10
9.0.11
9.0.12
9.0.13
9.0.14
9.1.0-alpha1
9.1.0-beta1
9.1.0-rc1
9.1.0-rc2
9.1.0-rc3
9.1.0
9.1.1
9.1.2
9.1.3
9.1.4
9.1.5
9.1.6
9.1.7
9.1.8
9.1.9
9.1.10
9.1.11
9.1.12
9.1.13
9.1.14
9.1.15
9.2.0-alpha1
9.2.0-beta1
9.2.0-beta2
9.2.0-beta3
9.2.0-rc1
9.2.0
9.2.1
9.2.2
9.2.3
9.2.4
9.2.5
9.2.6
9.2.7
9.2.8
9.2.9
9.2.10
9.2.11
9.2.12
9.2.13
9.2.14
9.2.15
9.2.16
9.2.17
9.2.18
9.2.19
9.2.20
9.2.21
9.3.0-alpha1
9.3.0-beta1
9.3.0-beta2
9.3.0-beta3
9.3.0-rc1
9.3.0
9.3.1
9.3.2
9.3.3
9.3.4
9.3.5
9.3.6
9.3.7
9.3.8
9.3.9
9.3.10
9.3.11
9.3.12
9.3.13
9.3.14
9.3.15
9.3.16
9.3.17
9.3.18
9.3.19
9.3.20
9.3.21
9.3.22
9.4.0-alpha1
9.4.0-beta1
9.4.0-rc1
9.4.0-rc2
9.4.0
9.4.1
9.4.2
9.4.3
9.4.4
9.4.5
9.4.6
9.4.7
9.4.8
9.4.9
9.4.10
9.4.11
9.4.12
9.4.13
9.4.14
9.4.15
9.5.0-beta1
9.5.0-beta2
9.5.0-rc1
9.5.0-rc2
9.5.0
9.5.1
9.5.2
9.5.3
9.5.4
9.5.5
9.5.6
9.5.7
9.5.8
9.5.9
9.5.10
9.5.11
10.*
10.0.0-alpha1
10.0.0-alpha2
10.0.0-alpha3
10.0.0-alpha4
10.0.0-alpha5
10.0.0-alpha6
10.0.0-alpha7
10.0.0-beta1
10.0.0-beta2
10.0.0-rc1
10.0.0-rc2
10.0.0-rc3
10.0.0
10.0.1
10.0.2
10.0.3
10.0.4
10.0.5
10.0.6
10.0.7
10.0.8
10.0.9
10.0.10
10.0.11
10.1.0-alpha1
10.1.0-beta1
10.1.0-rc1
10.1.0
10.1.1
10.1.2
10.1.3
10.1.4
10.1.5
10.1.6
10.1.7
10.1.8
10.2.0-alpha1
10.2.0-beta1
10.2.0-rc1
10.2.0
10.2.1
10.2.2
10.2.3
10.2.4
10.2.5
10.2.6
10.2.7
10.2.8
10.2.9
10.2.10
10.2.11
10.2.12
10.3.0-beta1
10.3.0-rc1
10.3.0
10.3.1
10.3.2
10.3.3
10.3.4
10.3.5
10.3.6
10.3.7
10.3.8
10.3.9
10.3.10
10.3.11
10.3.12
10.3.13
10.3.14
10.4.0-beta1
10.4.0-rc1
10.4.0
10.4.1
10.4.2
10.4.3
10.4.4
10.4.5
10.4.6
10.4.7
10.4.8
10.4.9
10.4.10
10.5.0-beta1
10.5.0-rc1
10.5.0
10.5.1
10.5.2
10.5.3
10.5.4
10.5.5
10.5.6
10.5.7
10.5.8
10.5.9
10.5.10
10.5.11
10.6.0
10.6.1
10.6.2
10.6.3
10.6.4
10.6.5
10.6.6
10.6.7
10.6.8
10.6.9
10.6.10
11.*
11.0.0
11.0.1
11.0.2
11.0.3
11.0.4
11.0.5
11.0.6
11.0.7
11.0.8
11.0.9
11.0.10
11.0.11
11.0.12
11.0.13
11.1.0-beta1
11.1.0-rc1
11.1.0
11.1.1
11.1.2
11.1.3
11.1.4
11.1.5
11.1.6
11.1.7
11.1.8
11.1.9
11.1.10
11.2.0-alpha1
11.2.0-beta1
11.2.0-rc1
11.2.0-rc2
11.2.0
11.2.1
11.2.2
11.2.3
11.2.4
11.2.5
11.2.6
11.2.7
11.2.8
11.2.9
11.2.10
11.2.11
11.2.12
11.2.13
11.3.0
11.3.1
11.3.2
11.3.3
11.3.4
11.3.5
11.3.6
11.3.7
11.3.8
11.3.9
11.3.10
11.3.11

Database specific

affected_versions 
"<10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.*"
source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2026-008.json"