Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-1556— Information disclosure via file URI overwrite in File (Field) Paths

EPSS 0.04% · P13
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-1556

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Information disclosure via file URI overwrite in File (Field) Paths
Source: NVD (National Vulnerability Database)
Vulnerability Description
Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
Drupal File Field Paths 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Drupal File Field Paths是Drupal公司的一个用于自定义文件字段存储路径的扩展模块。 Drupal File Field Paths 7.x-1.3之前版本存在安全漏洞,该漏洞源于文件URI处理中的信息泄露,可能导致已验证用户通过文件名冲突上传泄露其他用户的私有文件,这可能导致hook_node_insert消费者收到错误的文件URI,从而绕过私有文件的正常访问控制。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
DrupalDrupal File (Field) Paths 7.x-1.0 ~ 7.x-1.3 -

II. Public POCs for CVE-2026-1556

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-1556

登录查看更多情报信息。

Same Patch Batch · Drupal · 2026-03-26 · 13 CVEs total

CVE-2026-3529Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024
CVE-2026-3573AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2
CVE-2026-3532OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027
CVE-2026-3526File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021
CVE-2026-3525File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-020
CVE-2026-3527AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022
CVE-2026-3530OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Informa
CVE-2026-3531OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026
CVE-2026-3528Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023
CVE-2026-4933Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029
CVE-2026-4393Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030
CVE-2026-0748Access bypass in Drupal 7 i18n_node translation UI

IV. Related Vulnerabilities

Same vendor: Drupal
Same weakness: CWE-200

V. Comments for CVE-2026-1556

No comments yet

Leave a comment