DRUPAL-CORE-2026-009

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2026-009.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CORE-2026-009

Aliases

CVE-2026-55808

Published

2026-06-17T18:58:02Z

Modified

2026-06-17T19:41:28.298817Z

Summary

[none]

Details

The JSON:API and REST modules allow you to upload image files to image fields.

The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image.

Certain web-server configurations may serve the uploaded file with its actual MIME type rather than an image type. This may lead to cross-site scripting (XSS) or other unexpected behavior.

References

https://www.drupal.org/sa-core-2026-009

Credits

- cantina_security
- - https://www.drupal.org/u/cantina_security

Affected packages

Packagist / drupal/core

Package

Name: drupal/core
Purl: pkg:composer/drupal%2Fcore

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

10.5.12

Database specific

{
    "constraint": "<10.5.12"
}

Type

ECOSYSTEM

Events

Introduced

10.6.0

Fixed

10.6.11

Database specific

{
    "constraint": ">=10.6.0 <10.6.11"
}

Type

ECOSYSTEM

Events

Introduced

11.2.0

Fixed

11.2.14

Database specific

{
    "constraint": ">=11.2.0 <11.2.14"
}

Type

ECOSYSTEM

Events

Introduced

11.3.0

Fixed

11.3.12

Database specific

{
    "constraint": ">=11.3.0 <11.3.12"
}

Type

ECOSYSTEM

Events

Introduced

11.0.0

Fixed

11.1.0

Database specific

{
    "constraint": "11.0.*"
}

Type

ECOSYSTEM

Events

Introduced

11.1.0

Fixed

11.2.0

Database specific

{
    "constraint": "11.1.*"
}

Affected versions

8.*

8.0.0-beta6

8.0.0-beta7

8.0.0-beta8

8.0.0-beta9

8.0.0-beta10

8.0.0-beta11

8.0.0-beta12

8.0.0-beta13

8.0.0-beta14

8.0.0-beta15

8.0.0-beta16

8.0.0-rc1

8.0.0-rc2

8.0.0-rc3

8.0.0-rc4

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.0.6

8.1.0-beta1

8.1.0-beta2

8.1.0-rc1

8.1.0

8.1.1

8.1.2

8.1.3

8.1.4

8.1.5

8.1.6

8.1.7

8.1.8

8.1.9

8.1.10

8.2.0-beta1

8.2.0-beta2

8.2.0-beta3

8.2.0-rc1

8.2.0-rc2

8.2.0

8.2.1

8.2.2

8.2.3

8.2.4

8.2.5

8.2.6

8.2.7

8.2.8

8.3.0-alpha1

8.3.0-beta1

8.3.0-rc1

8.3.0-rc2

8.3.0

8.3.1

8.3.2

8.3.3

8.3.4

8.3.5

8.3.6

8.3.7

8.3.8

8.3.9

8.4.0-alpha1

8.4.0-beta1

8.4.0-rc1

8.4.0-rc2

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.4.6

8.4.7

8.4.8

8.5.0-alpha1

8.5.0-beta1

8.5.0-rc1

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

8.5.7

8.5.8

8.5.9

8.5.10

8.5.11

8.5.12

8.5.13

8.5.14

8.5.15

8.6.0-alpha1

8.6.0-beta1

8.6.0-beta2

8.6.0-rc1

8.6.0

8.6.1

8.6.2

8.6.3

8.6.4

8.6.5

8.6.6

8.6.7

8.6.8

8.6.9

8.6.10

8.6.11

8.6.12

8.6.13

8.6.14

8.6.15

8.6.16

8.6.17

8.6.18

8.7.0-alpha1

8.7.0-alpha2

8.7.0-beta1

8.7.0-beta2

8.7.0-rc1

8.7.0

8.7.1

8.7.2

8.7.3

8.7.4

8.7.5

8.7.6

8.7.7

8.7.8

8.7.9

8.7.10

8.7.11

8.7.12

8.7.13

8.7.14

8.8.0-alpha1

8.8.0-beta1

8.8.0-rc1

8.8.0

8.8.1

8.8.2

8.8.3

8.8.4

8.8.5

8.8.6

8.8.7

8.8.8

8.8.9

8.8.10

8.8.11

8.8.12

8.9.0-beta1

8.9.0-beta2

8.9.0-beta3

8.9.0-rc1

8.9.0

8.9.1

8.9.2

8.9.3

8.9.4

8.9.5

8.9.6

8.9.7

8.9.8

8.9.9

8.9.10

8.9.11

8.9.12

8.9.13

8.9.14

8.9.15

8.9.16

8.9.17

8.9.18

8.9.19

8.9.20

9.*

9.0.0-alpha1

9.0.0-alpha2

9.0.0-beta1

9.0.0-beta2

9.0.0-beta3

9.0.0-rc1

9.0.0

9.0.1

9.0.2

9.0.3

9.0.4

9.0.5

9.0.6

9.0.7

9.0.8

9.0.9

9.0.10

9.0.11

9.0.12

9.0.13

9.0.14

9.1.0-alpha1

9.1.0-beta1

9.1.0-rc1

9.1.0-rc2

9.1.0-rc3

9.1.0

9.1.1

9.1.2

9.1.3

9.1.4

9.1.5

9.1.6

9.1.7

9.1.8

9.1.9

9.1.10

9.1.11

9.1.12

9.1.13

9.1.14

9.1.15

9.2.0-alpha1

9.2.0-beta1

9.2.0-beta2

9.2.0-beta3

9.2.0-rc1

9.2.0

9.2.1

9.2.2

9.2.3

9.2.4

9.2.5

9.2.6

9.2.7

9.2.8

9.2.9

9.2.10

9.2.11

9.2.12

9.2.13

9.2.14

9.2.15

9.2.16

9.2.17

9.2.18

9.2.19

9.2.20

9.2.21

9.3.0-alpha1

9.3.0-beta1

9.3.0-beta2

9.3.0-beta3

9.3.0-rc1

9.3.0

9.3.1

9.3.2

9.3.3

9.3.4

9.3.5

9.3.6

9.3.7

9.3.8

9.3.9

9.3.10

9.3.11

9.3.12

9.3.13

9.3.14

9.3.15

9.3.16

9.3.17

9.3.18

9.3.19

9.3.20

9.3.21

9.3.22

9.4.0-alpha1

9.4.0-beta1

9.4.0-rc1

9.4.0-rc2

9.4.0

9.4.1

9.4.2

9.4.3

9.4.4

9.4.5

9.4.6

9.4.7

9.4.8

9.4.9

9.4.10

9.4.11

9.4.12

9.4.13

9.4.14

9.4.15

9.5.0-beta1

9.5.0-beta2

9.5.0-rc1

9.5.0-rc2

9.5.0

9.5.1

9.5.2

9.5.3

9.5.4

9.5.5

9.5.6

9.5.7

9.5.8

9.5.9

9.5.10

9.5.11

10.*

10.0.0-alpha1

10.0.0-alpha2

10.0.0-alpha3

10.0.0-alpha4

10.0.0-alpha5

10.0.0-alpha6

10.0.0-alpha7

10.0.0-beta1

10.0.0-beta2

10.0.0-rc1

10.0.0-rc2

10.0.0-rc3

10.0.0

10.0.1

10.0.2

10.0.3

10.0.4

10.0.5

10.0.6

10.0.7

10.0.8

10.0.9

10.0.10

10.0.11

10.1.0-alpha1

10.1.0-beta1

10.1.0-rc1

10.1.0

10.1.1

10.1.2

10.1.3

10.1.4

10.1.5

10.1.6

10.1.7

10.1.8

10.2.0-alpha1

10.2.0-beta1

10.2.0-rc1

10.2.0

10.2.1

10.2.2

10.2.3

10.2.4

10.2.5

10.2.6

10.2.7

10.2.8

10.2.9

10.2.10

10.2.11

10.2.12

10.3.0-beta1

10.3.0-rc1

10.3.0

10.3.1

10.3.2

10.3.3

10.3.4

10.3.5

10.3.6

10.3.7

10.3.8

10.3.9

10.3.10

10.3.11

10.3.12

10.3.13

10.3.14

10.4.0-beta1

10.4.0-rc1

10.4.0

10.4.1

10.4.2

10.4.3

10.4.4

10.4.5

10.4.6

10.4.7

10.4.8

10.4.9

10.4.10

10.5.0-beta1

10.5.0-rc1

10.5.0

10.5.1

10.5.2

10.5.3

10.5.4

10.5.5

10.5.6

10.5.7

10.5.8

10.5.9

10.5.10

10.5.11

10.6.0

10.6.1

10.6.2

10.6.3

10.6.4

10.6.5

10.6.6

10.6.7

10.6.8

10.6.9

10.6.10

11.*

11.0.0

11.0.1

11.0.2

11.0.3

11.0.4

11.0.5

11.0.6

11.0.7

11.0.8

11.0.9

11.0.10

11.0.11

11.0.12

11.0.13

11.1.0-beta1

11.1.0-rc1

11.1.0

11.1.1

11.1.2

11.1.3

11.1.4

11.1.5

11.1.6

11.1.7

11.1.8

11.1.9

11.1.10

11.2.0-alpha1

11.2.0-beta1

11.2.0-rc1

11.2.0-rc2

11.2.0

11.2.1

11.2.2

11.2.3

11.2.4

11.2.5

11.2.6

11.2.7

11.2.8

11.2.9

11.2.10

11.2.11

11.2.12

11.2.13

11.3.0

11.3.1

11.3.2

11.3.3

11.3.4

11.3.5

11.3.6

11.3.7

11.3.8

11.3.9

11.3.10

11.3.11

Database specific

affected_versions

"<10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.*"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2026-009.json"