CVE-2026-55803 / CVE-2026-55804 — Drupal core: PHP object-injection chain in JSON:API, BSI-rated critical

The Drupal Security Team published six advisories on 2026-06-17 (fixed in 10.5.12, 10.6.11, 11.2.14, 11.3.12); BSI escalated the aggregate to kritisch (Drupal SA-CORE-2026-005; BSI CERT-Bund; daily 06-19). Drupal runs a large share of European government and university sites, making this a public-sector CMS patch priority. Update core immediately.