Security Alert (A26-06-40): Multiple Vulnerabilities in Drupal Products

Description:

Drupal published a security advisory to address a vulnerability in several Drupal products. The details of security update can be found at:
https://www.drupal.org/sa-core-2026-005
https://www.drupal.org/sa-core-2026-006
https://www.drupal.org/sa-core-2026-007
https://www.drupal.org/sa-core-2026-008
https://www.drupal.org/sa-core-2026-009

Affected Systems:

• Drupal version prior to 10.5.12
• Drupal version 10.6.0 and later, prior to 10.6.11
• Drupal version 11.0.0 and later
• Drupal version 11.1.0 and later
• Drupal version 11.2.0 and later, prior to 11.2.14
• Drupal version 11.3.0 and later, prior to 11.3.12

For detailed information of the affected systems, please refer to the corresponding security advisories at vendor's website.

Please note that Drupal 10 prior to version 10.5 and Drupal 11 prior to 11.2 have reached End-Of-Life (EOL). No security updates will be provided after that. Users should arrange upgrading the Drupal to supported versions or migrating to other supported technology.

Impact:

Successful exploitation of the vulnerabilities could lead to remote code execution, spoofing or tampering on an affected system.

Recommendation:

Patches for affected systems are now available. System administrators of affected systems should follow the recommendations provided by the vendor and take immediate actions to mitigate the risk.

More Information:

• https://www.drupal.org/sa-core-2026-005
• https://www.drupal.org/sa-core-2026-006
• https://www.drupal.org/sa-core-2026-007
• https://www.drupal.org/sa-core-2026-008
• https://www.drupal.org/sa-core-2026-009
• https://www.hkcert.org/security-bulletin/drupal-multiple-vulnerabilities_20260623
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-55803 (to CVE-2026-55804)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-55806 (to CVE-2026-55808)