PatchSiren cyber security CVE debrief
CVE-2026-12535 Drupal CVE debrief
The CVE-2026-12535 vulnerability is an Improperly Controlled Modification of Dynamically-Determined Object Attributes issue in Drupal Formatter Field, which allows Object Injection. This issue affects Formatter Field versions from 0.0.0 to 2.0.0. The CVE record was published on 2026-07-10T22:16:39.077Z and has not been modified since then. Affected Drupal users and administrators should review and apply patches. The vulnerability has a medium priority for Drupal users and administrators to review and apply patches.
- Vendor
- Drupal
- Product
- Formatter Field
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Drupal users and administrators should review and apply patches for Formatter Field versions from 0.0.0 to 2.0.0. Affected operator, platform, vulnerability-management, and security-team impact should be considered. Inventory Formatter Field usage and verify patch application.
Technical summary
The CVE-2026-12535 vulnerability is an Improperly Controlled Modification of Dynamically-Determined Object Attributes issue in Drupal Formatter Field, which allows Object Injection. This issue affects Formatter Field versions from 0.0.0 to 2.0.0. The vulnerability has a medium priority for Drupal users and administrators to review and apply patches. Review Formatter Field versions and apply patches for versions from 0.0.0 to 2.0.0.
Defensive priority
Medium priority for Drupal users and administrators to review and apply patches.
Recommended defensive actions
- Review Formatter Field versions and apply patches for versions from 0.0.0 to 2.0.0
- Monitor Drupal security advisories for updates on this vulnerability
- Inventory Formatter Field usage and verify patch application
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
Evidence notes
Evidence is limited; primary official records indicate a vulnerability in Formatter Field. Verify patch application and monitor for updates. Additional verification tasks include reviewing Formatter Field usage, confirming affected product deployments, and checking relevant monitoring, detection, and logs for exposed assets.
Official resources
-
CVE-2026-12535 CVE record
CVE.org
-
CVE-2026-12535 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T22:16:39.077Z and has not been modified since then.