Home · Live brief · Weekly 2026-W26
CVE-2026-55803 / CVE-2026-55804 — Drupal core: PHP object-injection chain in JSON:API, BSI-rated critical
notable vulnerability discovered 2026-06-22 00:14 UTC
Part of run 2026-W25-0aacfe65 (weekly · Claude Opus 4.8)
The Drupal Security Team published six advisories on 2026-06-17 (fixed in 10.5.12, 10.6.11, 11.2.14, 11.3.12); BSI escalated the aggregate to kritisch (Drupal SA-CORE-2026-005; BSI CERT-Bund; daily 06-19). Drupal runs a large share of European government and university sites, making this a public-sector CMS patch priority. Update core immediately.