PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12535 Drupal CVE debrief

The CVE-2026-12535 vulnerability is an Improperly Controlled Modification of Dynamically-Determined Object Attributes issue in Drupal Formatter Field, which allows Object Injection. This issue affects Formatter Field versions from 0.0.0 to 2.0.0. The CVE record was published on 2026-07-10T22:16:39.077Z and has not been modified since then. Affected Drupal users and administrators should review and apply patches. The vulnerability has a medium priority for Drupal users and administrators to review and apply patches.

Vendor
Drupal
Product
Formatter Field
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Drupal users and administrators should review and apply patches for Formatter Field versions from 0.0.0 to 2.0.0. Affected operator, platform, vulnerability-management, and security-team impact should be considered. Inventory Formatter Field usage and verify patch application.

Technical summary

The CVE-2026-12535 vulnerability is an Improperly Controlled Modification of Dynamically-Determined Object Attributes issue in Drupal Formatter Field, which allows Object Injection. This issue affects Formatter Field versions from 0.0.0 to 2.0.0. The vulnerability has a medium priority for Drupal users and administrators to review and apply patches. Review Formatter Field versions and apply patches for versions from 0.0.0 to 2.0.0.

Defensive priority

Medium priority for Drupal users and administrators to review and apply patches.

Recommended defensive actions

  • Review Formatter Field versions and apply patches for versions from 0.0.0 to 2.0.0
  • Monitor Drupal security advisories for updates on this vulnerability
  • Inventory Formatter Field usage and verify patch application
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed

Evidence notes

Evidence is limited; primary official records indicate a vulnerability in Formatter Field. Verify patch application and monitor for updates. Additional verification tasks include reviewing Formatter Field usage, confirming affected product deployments, and checking relevant monitoring, detection, and logs for exposed assets.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T22:16:39.077Z and has not been modified since then.