CVE-2026-12535

Drupal · Formatter Field

The Drupal Formatter Field module contains an object injection vulnerability due to improper control of dynamically determined object attributes.

Executive summary

The Drupal Formatter Field module is affected by a critical object injection vulnerability that could allow attackers to manipulate application data and behavior.

Vulnerability

The vulnerability involves improper control of dynamically determined object attributes, leading to potential object injection. This allows an unauthenticated attacker to manipulate how the application processes data, potentially leading to arbitrary code execution or data corruption.

Business impact

The CVSS score of 9.8 indicates a critical severity level, posing a significant threat to the entire Drupal installation. Successful exploitation allows an attacker to inject and manipulate objects, which can result in full system compromise, unauthorized data modification, or the execution of malicious logic within the server environment.

Remediation

Immediate Action: Update the Drupal Formatter Field module to version 2.0.0 or later to resolve the underlying object injection flaw.

Proactive Monitoring: Review system and application logs for unusual object-related errors or anomalies that might indicate an attempted injection attack.

Compensating Controls: Deploy a WAF with rules designed to detect and block common object injection patterns or abnormal input structures that could trigger this vulnerability.

Exploitation status

Public Exploit Available: No (unknown)

Analyst recommendation

Given the critical impact of object injection vulnerabilities, organizations must prioritize updating the Formatter Field module. Testing the update in a staging environment before deployment is recommended to ensure compatibility, but the urgency of this patch suggests a rapid deployment timeline.