Drupal Security Team Issues Eight Advisories for Core and Contributed Modules

Security advisories published by the Drupal Security Team on 17 June 2026 cover five Drupal core vulnerabilities and three contributed-module issues across supported Drupal 10 and 11 branches. The core fixes are included in Drupal 10.5.12, 10.6.11, 11.2.14, and 11.3.12. The most relevant exposure paths involve JSON:API write access, oEmbed URL discovery, image upload validation, and field data stored as PHP-serialized strings under specific conditions.

The advisory batch matters most for site teams running supported Drupal core branches or using affected contributed modules with editable field data. The core advisories list affected versions as earlier than 10.5.12, 10.6.0 through 10.6.10, 11.2.0 through 11.2.13, and 11.3.0 through 11.3.11, along with Drupal 11.0.x and 11.1.x. Drupal 11.1.x, 11.0.x, 10.4.x, and older versions are end-of-life and do not receive security coverage.

The highest-severity core advisory is SA-CORE-2026-005, a critical PHP object injection issue tied to rare JSON:API write paths. The advisory says exploitation requires a site to use an entity reference field type that stores a serialized property and an attacker with permission to write to the entity through JSON:API. It also states that no field type shipped with Drupal core meets those criteria and that JSON:API is read-only by default.

Three contributed modules carry related critical PHP object injection advisories and should be treated as module-specific checks. Formatter Field versions before 2.0.0, Flag attendance field versions before 8.x-1.2, and Plotly.js Graphing versions before 3.0.2 store some data as PHP-serialized strings. Each advisory says exploitation requires permission to edit an entity with the affected field and either JSON:API configured to accept write operations or another way to edit field values directly.

SA-CORE-2026-008 adds a separate configuration concern for sites using oEmbed URL discovery in the Media module. The advisory says Drupal’s URL discovery code could be used to make server-side requests to arbitrary URLs. Sites using URL discovery now need trusted oEmbed discovery host patterns in settings.php, using the $settings['media_oembed_discovery_trusted_host_patterns'] setting.

SA-CORE-2026-009 addresses improper validation in JSON:API and REST image uploads. The advisory says validation checked file extensions but not MIME types, which could allow a malicious user to upload a non-image file to an image field. Certain web-server configurations could then serve the file with its actual MIME type, creating a possible cross-site scripting or unexpected-behaviour risk.

The lower-priority core advisories belong later in the story. SA-CORE-2026-007 is a less critical rebuild.php Host header issue that could lead to cache poisoning or an open redirect. SA-CORE-2026-006 is a moderately critical gadget-chain advisory, but the advisory says it is not directly exploitable and requires a separate insecure deserialization vulnerability before it can be used.

Drupal Steward provides protection for SA-CORE-2026-005, but that advisory says the web application firewall rule may not cover all cases or work for all hosting providers. It also says several other core advisories released the same day are not mitigated by Drupal Steward, so the recommended action remains an actual Drupal update within 24 hours of release. For most site teams, the practical response is to update supported core branches, review JSON:API write access, check oEmbed URL discovery configuration, and update any installed affected contributed modules.