Home · Briefs · CTI Daily Brief — 2026-06-19
CVE-2026-55803 / CVE-2026-55804 — Drupal core: PHP object-injection chain in JSON:API, BSI-rated critical
From CTI Daily Brief — 2026-06-19 · published 2026-06-19
The Drupal Security Team published six advisories on 2026-06-17, fixed in 10.5.12, 10.6.11, 11.2.14 and 11.3.12; BSI escalated the aggregate to kritisch (Drupal SA-CORE-2026-005; BSI CERT-Bund WID-SEC-2026-2002). CVE-2026-55803 (SA-CORE-2026-005, Critical) is a PHP object-injection flaw in the JSON:API module: an attacker with JSON:API write permission against an entity that uses a serialized custom field type can inject a malicious serialized payload. No core-shipped field type meets the prerequisite, so exploitation requires JSON:API write access (off by default) plus a contributed/custom entity-reference field that serializes its property; CVE-2026-55804 (SA-CORE-2026-006, Moderately critical) supplies the deserialization gadget chain that turns that injection into execution. The remaining advisories cover a rebuild.php trusted-host bypass (CVE-2026-55806), Media-module oEmbed SSRF (CVE-2026-55807) and a JSON:API/REST image-upload MIME-validation gap (CVE-2026-55808). No exploitation reported. The relevance here is footprint, not exploitation maturity: Drupal underpins a large share of Swiss federal/cantonal and EU-institution web estates.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-20181 | Cisco ISE / ISE-PIC (authenticated cmd exec → root) | 9.1 | n/a | No | No | ISE 3.3 P11 / 3.4 P6; 3.5 P4 (Aug 2026) | Cisco PSIRT |
| CVE-2026-20190 | Cisco ISE / ISE-PIC (unauth credential/data read) | 7.5 | n/a | No | No | ISE 3.4 P6 / 3.5 P3 | Cisco PSIRT |
| CVE-2026-12046 | pgAdmin 4 (unauth pickle.loads SQL-Editor RCE) |
9.5 (v4) | n/a | No | No | pgAdmin 4 v9.16 | pgAdmin |
| CVE-2026-12045 | pgAdmin 4 (AI-Assistant read-only bypass → RCE) | 9.4 (v4) | n/a | No | No | pgAdmin 4 v9.16 | pgAdmin |
| CVE-2026-12048 | pgAdmin 4 (stored XSS via error/EXPLAIN rendering) | 9.3 (v4) | n/a | No | No | pgAdmin 4 v9.16 | pgAdmin |
| CVE-2026-42530 | NGINX (HTTP/3 QUIC use-after-free) | 9.2 (v4) | n/a | No | No | OSS 1.31.2; Plus R36 P6 / 37.0.2.1 | NGINX |
| CVE-2026-42055 | NGINX (HTTP/2-proxy / gRPC heap overflow) | 9.2 (v4) | n/a | No | No | OSS 1.31.2 / 1.30.3; Plus R36 P6 | NGINX |
| CVE-2026-55803 | Drupal core (JSON:API PHP object injection) | n/a (Drupal: critical) | n/a | No | No | Drupal 10.5.12 / 10.6.11 / 11.2.14 / 11.3.12 | Drupal |