Is drupal/core affected by CVE-2026-55808?

Packagist drupal/core is affected in =10.6.0 =11.2.0 =11.3.0 =11.0.0 =11.1.0 <11.2.0.

CVE-2026-55808

Summary

The JSON:API and REST modules allow you to upload image files to image fields. The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image. Certain web-server configurations may serve the uploa

References

https://www.drupal.org/sa-core-2026-009

Related vulnerabilities

All Supply chain →

HIGHCVE-2026-52801
Gogs has the ability to import local repositories via Mirror Settings
HIGHCVE-2026-52800
Gogs Vulnerable to CSRF Leading to Organization Owner Takeover
HIGHCVE-2026-52799
Gogs Missing Authorization in Attachment Download
HIGHCVE-2026-52798
Gogs has Stored XSS in `.ipynb` Preview
MEDIUMCVE-2026-50179
@actual-app/web has CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields
HIGHCVE-2026-54353
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation