Aikido Intel
Secure My Code
Intel

AIKIDO-2026-34610

drupal/core is vulnerable to Deserialization of Untrusted Data

Deserialization of Untrusted DataCVE-2026-55804 Published Yesterday

65

Medium Risk

This Affects:

PHPdrupal/core
0.0.0 - 10.5.11
Fixed in 10.5.12
10.6.0 - 10.6.10
Fixed in 10.6.11
11.0.0 - 11.2.13
Fixed in 11.2.14
11.3.0 - 11.3.11
Fixed in 11.3.12
Are you affected? Scan for Free

TL;DR

Drupal core contains a "gadget chain" — a sequence of methods that, while not directly exploitable on its own, could be leveraged for remote code execution or SQL injection if an insecure deserialization vulnerability exists elsewhere in the application. This issue poses no standalone risk, as exploitation requires a separate, independent vulnerability that allows an attacker to pass unsafe input to unserialize().

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

drupal/core is vulnerable to Deserialization of Untrusted Data in versions 0.0.0 - 10.5.11, 10.6.0 - 10.6.10, 11.0.0 - 11.2.13 and 11.3.0 - 11.3.11.

How to fix this

Upgrade the drupal/core library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done