{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75784?format=json","vulnerability_id":"VCID-mb8x-dcy7-5udu","summary":"Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.\n\nThis issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.","aliases":[{"alias":"CVE-2026-6366"},{"alias":"GHSA-xmjc-63pr-2mpg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41337?format=json","purl":"pkg:composer/drupal/core@10.5.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.5.9"},{"url":"http://public2.vulnerablecode.io/api/packages/41335?format=json","purl":"pkg:composer/drupal/core@10.6.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.6.7"},{"url":"http://public2.vulnerablecode.io/api/packages/41336?format=json","purl":"pkg:composer/drupal/core@11.2.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.2.11"},{"url":"http://public2.vulnerablecode.io/api/packages/41333?format=json","purl":"pkg:composer/drupal/core@11.3.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.3.7"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/15635?format=json","purl":"pkg:composer/drupal/core@8.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yf-8sub-uyhb"},{"vulnerability":"VCID-1d2m-3ycf-3ycf"},{"vulnerability":"VCID-26ck-rher-hfg4"},{"vulnerability":"VCID-28cu-un2e-xub7"},{"vulnerability":"VCID-293a-m7nd-vygb"},{"vulnerability":"VCID-2wdn-8583-v3dg"},{"vulnerability":"VCID-335n-fzp7-k7bc"},{"vulnerability":"VCID-3avj-j2h8-qbhh"},{"vulnerability":"VCID-3y39-quaw-ufe8"},{"vulnerability":"VCID-4bym-pcfj-ykde"},{"vulnerability":"VCID-4sqe-bvj6-pkdq"},{"vulnerability":"VCID-57k5-xdsf-h3ch"},{"vulnerability":"VCID-57nk-7ugd-vucf"},{"vulnerability":"VCID-5ytn-jezc-bfdq"},{"vulnerability":"VCID-6pdz-udxy-ebhy"},{"vulnerability":"VCID-75bq-ccux-afdn"},{"vulnerability":"VCID-7mhn-vstn-bqh5"},{"vulnerability":"VCID-7sar-42a4-kqdy"},{"vulnerability":"VCID-85pr-rrx5-5keu"},{"vulnerability":"VCID-8h75-dgjd-nyc3"},{"vulnerability":"VCID-94he-hr4a-yygs"},{"vulnerability":"VCID-a4ps-1cdu-4ucv"},{"vulnerability":"VCID-a7jg-mx1k-57h3"},{"vulnerability":"VCID-aex1-r4xe-kkaj"},{"vulnerability":"VCID-agxw-t98a-j3bm"},{"vulnerability":"VCID-ajhs-t3zd-6qah"},{"vulnerability":"VCID-aqce-af3u-myd2"},{"vulnerability":"VCID-bha5-1s4u-3bg6"},{"vulnerability":"VCID-bmw2-bvu6-rkev"},{"vulnerability":"VCID-d6bg-1u2b-1qdt"},{"vulnerability":"VCID-daj4-u9em-mbc3"},{"vulnerability":"VCID-e427-q7jy-1uad"},{"vulnerability":"VCID-e4nv-qway-2ygf"},{"vulnerability":"VCID-e569-xntr-mkgm"},{"vulnerability":"VCID-e5uh-sqmj-qyg7"},{"vulnerability":"VCID-ed3c-h2ww-j3gm"},{"vulnerability":"VCID-eje5-fhmg-hbbt"},{"vulnerability":"VCID-fc3m-cktu-7uff"},{"vulnerability":"VCID-fqah-snwt-qfhj"},{"vulnerability":"VCID-ftd8-be73-5bc3"},{"vulnerability":"VCID-fwnm-xws3-8uhz"},{"vulnerability":"VCID-hcvb-4eys-2qg3"},{"vulnerability":"VCID-hdq9-fe9e-93hb"},{"vulnerability":"VCID-hmkt-cwbg-kqh4"},{"vulnerability":"VCID-hs3h-z841-67ge"},{"vulnerability":"VCID-jbd8-jvfd-cbbx"},{"vulnerability":"VCID-jnfd-5ez3-b7d1"},{"vulnerability":"VCID-k48k-jdda-zqbh"},{"vulnerability":"VCID-kepa-chya-sfdb"},{"vulnerability":"VCID-krdz-kyhc-efg5"},{"vulnerability":"VCID-krjp-u36k-17fs"},{"vulnerability":"VCID-kryq-8j5g-d7a6"},{"vulnerability":"VCID-ku79-by46-s3h9"},{"vulnerability":"VCID-mb8x-dcy7-5udu"},{"vulnerability":"VCID-mjjh-e7up-6ubf"},{"vulnerability":"VCID-mntp-ycvs-a7cd"},{"vulnerability":"VCID-mt7b-j5j8-7qdb"},{"vulnerability":"VCID-muhk-wbuy-97bu"},{"vulnerability":"VCID-nhub-1map-n3by"},{"vulnerability":"VCID-nx17-duan-vyak"},{"vulnerability":"VCID-qec2-bj92-pue9"},{"vulnerability":"VCID-qtax-krps-1udn"},{"vulnerability":"VCID-qvsn-ab7h-cqc5"},{"vulnerability":"VCID-rf34-12k7-xbh4"},{"vulnerability":"VCID-s5ak-abr9-vbe6"},{"vulnerability":"VCID-saqq-4efb-affy"},{"vulnerability":"VCID-sbsk-ydyr-kfbt"},{"vulnerability":"VCID-sdue-15dg-4ugt"},{"vulnerability":"VCID-sgub-4xen-bbcy"},{"vulnerability":"VCID-tdsq-5bqr-aufq"},{"vulnerability":"VCID-tf14-rq7e-17av"},{"vulnerability":"VCID-tk5j-xph4-q3e5"},{"vulnerability":"VCID-ufsx-tacm-afg8"},{"vulnerability":"VCID-uhb6-fx8q-cqe5"},{"vulnerability":"VCID-ukak-793e-m3gx"},{"vulnerability":"VCID-v3nf-tw9b-13c1"},{"vulnerability":"VCID-v59c-81z7-q7aw"},{"vulnerability":"VCID-v69x-fke2-h7a6"},{"vulnerability":"VCID-v7ya-c9mf-e7dp"},{"vulnerability":"VCID-vafp-yvad-t3b3"},{"vulnerability":"VCID-vc7s-6p62-bfaw"},{"vulnerability":"VCID-vpn8-qteh-9yhz"},{"vulnerability":"VCID-vrva-c7km-ekda"},{"vulnerability":"VCID-w5a9-jg34-3ubx"},{"vulnerability":"VCID-wn4r-rc6m-xbhy"},{"vulnerability":"VCID-xcck-137u-wyam"},{"vulnerability":"VCID-xgtt-3z1m-b3ag"},{"vulnerability":"VCID-xhgk-sf8f-fuav"},{"vulnerability":"VCID-xsma-2ryf-zqd4"},{"vulnerability":"VCID-xyu6-aqjk-r7g7"},{"vulnerability":"VCID-yj7d-w9vg-23dn"},{"vulnerability":"VCID-yjm8-gadp-jkhr"},{"vulnerability":"VCID-yku8-k9fs-d7c8"},{"vulnerability":"VCID-ypdc-yptn-7qdp"},{"vulnerability":"VCID-zt27-b3qc-fbac"},{"vulnerability":"VCID-zxut-nxke-7fce"},{"vulnerability":"VCID-zymc-a812-1ua5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/41334?format=json","purl":"pkg:composer/drupal/core@10.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mb8x-dcy7-5udu"},{"vulnerability":"VCID-saqq-4efb-affy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.6.0"},{"url":"http://public2.vulnerablecode.io/api/packages/33155?format=json","purl":"pkg:composer/drupal/core@11.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1d2m-3ycf-3ycf"},{"vulnerability":"VCID-1w42-v1sq-fkac"},{"vulnerability":"VCID-227y-mp79-jydd"},{"vulnerability":"VCID-26ck-rher-hfg4"},{"vulnerability":"VCID-4sqe-bvj6-pkdq"},{"vulnerability":"VCID-7sar-42a4-kqdy"},{"vulnerability":"VCID-94he-hr4a-yygs"},{"vulnerability":"VCID-aqce-af3u-myd2"},{"vulnerability":"VCID-e5uh-sqmj-qyg7"},{"vulnerability":"VCID-ggb3-jgrj-hken"},{"vulnerability":"VCID-mb8x-dcy7-5udu"},{"vulnerability":"VCID-nx17-duan-vyak"},{"vulnerability":"VCID-rf34-12k7-xbh4"},{"vulnerability":"VCID-saqq-4efb-affy"},{"vulnerability":"VCID-tdsq-5bqr-aufq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/41332?format=json","purl":"pkg:composer/drupal/core@11.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29f2-xku4-b7cs"},{"vulnerability":"VCID-mb8x-dcy7-5udu"},{"vulnerability":"VCID-saqq-4efb-affy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.3.0"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-6366","reference_id":"","reference_type":"","scores":[{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20455","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.23964","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.25265","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.25251","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-6366"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6366","reference_id":"CVE-2026-6366","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6366"},{"reference_url":"https://github.com/advisories/GHSA-xmjc-63pr-2mpg","reference_id":"GHSA-xmjc-63pr-2mpg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xmjc-63pr-2mpg"},{"reference_url":"https://www.drupal.org/sa-core-2026-002","reference_id":"sa-core-2026-002","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-20T12:57:29Z/"}],"url":"https://www.drupal.org/sa-core-2026-002"}],"weaknesses":[{"cwe_id":915,"name":"Improperly Controlled Modification of Dynamically-Determined Object Attributes","description":"The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified."}],"exploits":[],"severity_range_score":"4.0 - 6.9","exploitability":"0.5","weighted_severity":"6.2","risk_score":3.1,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mb8x-dcy7-5udu"}