Description
Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal core allows Server Side Request Forgery. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
Problem types
CWE-918 Server-Side Request Forgery (SSRF)
Product status
10.6.0 (semver) before 10.6.11
11.2.0 (semver) before 11.2.14
11.3.0 (semver) before 11.3.12
0.0.0 (semver) before 11.0.*
0.0.0 (semver) before 11.1.*
Credits
Hamed Kohi (0xhamy)
assaf alassaf (ama62)
Albert Skibinski (askibinski)
Jon Minder (ayalon)
Lautaro Casanova (betah4k)
Gabe Sullice (gabesullice)
John Morahan (john morahan)
Michael Winser (michaelwinser)
nbanderson
offensive-ai
Francesco Placella (plach)
quynh ho (qquynh)
Himanshu Anand (unknownhad)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Adam G-H (phenaproxima)
Sean Blommaert (seanb)
Benji Fisher (benjifisher)
cilefen (cilefen)
Damien McKenna (damienmckenna)
Mori Sugimoto (dokumori)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
James Gilliland (neclimdul)
Juraj Nemec (poker10)
Jess (xjm)
References
www.drupal.org/sa-core-2026-008