CVE-2026-55809

Drupal · Flag attendance field

An object injection vulnerability in the Drupal Flag attendance field module allows unauthorized modification of object attributes via improperly handled PHP-serialized strings.

Executive summary

A critical object injection vulnerability in the Drupal Flag attendance field module could allow attackers to execute arbitrary code or manipulate system data.

Vulnerability

Classified as CWE-915, this vulnerability occurs because the module stores data as PHP-serialized strings that are improperly validated. An attacker with permissions to edit content entities containing this field can inject malicious objects that are executed upon deserialization, potentially leading to full site compromise.

Business impact

With a CVSS score of 9.8, this vulnerability is critical. Successful exploitation allows for remote code execution or unauthorized modification of application attributes, which could lead to complete data exfiltration, administrative account takeovers, and significant reputational damage.

Remediation

Immediate Action: Immediately update the Drupal Flag attendance field module to version 8.x-1.2 or the latest available release as specified in the vendor advisory.

Proactive Monitoring: Review application logs for unusual PHP errors, unexpected serialization activity, or unauthorized attempts to edit content entity fields.

Compensating Controls: Utilize a Web Application Firewall (WAF) with rules configured to detect and block malicious serialized payloads in HTTP requests.

Exploitation status

Public Exploit Available: No

Analyst recommendation

The severity of this object injection vulnerability necessitates an immediate update to version 8.x-1.2. Organizations should audit all content entities currently using the "Flag attendance field" module to ensure no malicious objects have already been injected into the database prior to the patch application.