Search for vulnerabilities
Vulnerability details: VCID-4jtc-4hr1-nkdh
Vulnerability ID VCID-4jtc-4hr1-nkdh
Aliases CVE-2024-55638
GHSA-gvf2-2f4g-jqf4
Summary Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core. To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases. This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-502 Deserialization of Untrusted Data
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
System Score Found at
epss 0.0339 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-gvf2-2f4g-jqf4
cvssv3.1 9.8 https://github.com/drupal/core
generic_textual HIGH https://github.com/drupal/core
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2024-55638
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2024-55638
cvssv3.1 9.8 https://www.drupal.org/sa-core-2024-008
generic_textual HIGH https://www.drupal.org/sa-core-2024-008
ssvc Track https://www.drupal.org/sa-core-2024-008
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-55638
https://github.com/drupal/core
https://nvd.nist.gov/vuln/detail/CVE-2024-55638
https://www.drupal.org/sa-core-2024-008
GHSA-gvf2-2f4g-jqf4 https://github.com/advisories/GHSA-gvf2-2f4g-jqf4
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/drupal/core
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-55638
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.drupal.org/sa-core-2024-008
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-12-10T21:19:33Z/ Found at https://www.drupal.org/sa-core-2024-008
Exploit Prediction Scoring System (EPSS)
Percentile 0.86864
EPSS Score 0.0339
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:09:37.109167+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-gvf2-2f4g-jqf4/GHSA-gvf2-2f4g-jqf4.json 36.1.3