CVE-2026-12535
Drupal · Formatter Field
The Drupal Formatter Field module contains an object injection vulnerability due to improper control of dynamically determined object attributes.
Executive summary
The Drupal Formatter Field module is affected by a critical object injection vulnerability that could allow attackers to manipulate application data and behavior.
Vulnerability
The vulnerability involves improper control of dynamically determined object attributes, leading to potential object injection. This allows an unauthenticated attacker to manipulate how the application processes data, potentially leading to arbitrary code execution or data corruption.
Business impact
The CVSS score of 9.8 indicates a critical severity level, posing a significant threat to the entire Drupal installation. Successful exploitation allows an attacker to inject and manipulate objects, which can result in full system compromise, unauthorized data modification, or the execution of malicious logic within the server environment.
Remediation
Immediate Action: Update the Drupal Formatter Field module to version 2.0.0 or later to resolve the underlying object injection flaw.
Proactive Monitoring: Review system and application logs for unusual object-related errors or anomalies that might indicate an attempted injection attack.
Compensating Controls: Deploy a WAF with rules designed to detect and block common object injection patterns or abnormal input structures that could trigger this vulnerability.
Exploitation status
Public Exploit Available: No (unknown)
Analyst recommendation
Given the critical impact of object injection vulnerabilities, organizations must prioritize updating the Formatter Field module. Testing the update in a staging environment before deployment is recommended to ensure compatibility, but the urgency of this patch suggests a rapid deployment timeline.