CVE-2026-55809
Drupal · Flag attendance field
An object injection vulnerability in the Drupal Flag attendance field module allows unauthorized modification of object attributes via improperly handled PHP-serialized strings.
Executive summary
A critical object injection vulnerability in the Drupal Flag attendance field module could allow attackers to execute arbitrary code or manipulate system data.
Vulnerability
Classified as CWE-915, this vulnerability occurs because the module stores data as PHP-serialized strings that are improperly validated. An attacker with permissions to edit content entities containing this field can inject malicious objects that are executed upon deserialization, potentially leading to full site compromise.
Business impact
With a CVSS score of 9.8, this vulnerability is critical. Successful exploitation allows for remote code execution or unauthorized modification of application attributes, which could lead to complete data exfiltration, administrative account takeovers, and significant reputational damage.
Remediation
Immediate Action: Immediately update the Drupal Flag attendance field module to version 8.x-1.2 or the latest available release as specified in the vendor advisory.
Proactive Monitoring: Review application logs for unusual PHP errors, unexpected serialization activity, or unauthorized attempts to edit content entity fields.
Compensating Controls: Utilize a Web Application Firewall (WAF) with rules configured to detect and block malicious serialized payloads in HTTP requests.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The severity of this object injection vulnerability necessitates an immediate update to version 8.x-1.2. Organizations should audit all content entities currently using the "Flag attendance field" module to ensure no malicious objects have already been injected into the database prior to the patch application.