Vulnerability DatabaseCVE-2026-55806
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-55806
Published:June 17, 2026
Updated:June 21, 2026
Drupal core ships a "rebuild.php" front controller that can be used to rebuild Drupal (clearing the caches and rebuilding the container) when the site is in an unexpected condition. This script doesn't correctly check the Host header against the list of trusted host patterns. This could result in cache poisoning or a redirect to an attacker-controlled domain.
Affected Packages
drupal/core (PHP):
Affected version(s) >=11.2.0 <11.2.14
Fix Suggestion:
Update to version 11.2.14
drupal/core (PHP):
Affected version(s) >=11.3.0 <11.3.12
Fix Suggestion:
Update to version 11.3.12
drupal/core (PHP):
Affected version(s) >=10.5.0 <10.5.12
Fix Suggestion:
Update to version 10.5.12
drupal/core (PHP):
Affected version(s) >=10.6.0 <10.6.11
Fix Suggestion:
Update to version 10.6.11
Related Resources (1)
https://www.drupal.org/sa-core-2026-007
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE