CVE-2026-1556

Exploit

EPSS 0.04%
Veröffentlicht 26.03.2026 21:14:20
Zuletzt bearbeitet 02.04.2026 20:33:54
Quelle mlhess@drupal.org
CVE-Watchlists
Login
Unerledigt
Login

Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Deciphered ≫ Filefield Paths SwPlatformdrupal Version < 7.x-1.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.107

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
mlhess@drupal.org	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://www.herodevs.com/vulnerability-directory/cve-2026-1556

Third Party Advisory

Exploit

Mitigation

https://d7es.tag1.com/security-advisories/file-field-paths-moderately-critical-file-path-manipulation

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-1556

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-1556

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-1556

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-1556