CVE-2026-1556

MEDIUM

Information disclosure via file URI overwrite in File (Field) Paths

Title source: cna

Description

Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.

References (2)

[Third Party Advisory] https://www.herodevs.com/vulnerability-directory/cve-2026-1556

[Third Party Advisory] https://d7es.tag1.com/security-advisories/file-field-paths-moderately-critical-file-path-manipulation

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 12.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (2)

deciphered/filefield_paths < 7.x-1.3

Drupal/Drupal File (Field) Paths 7.x-1.0 - 7.x-1.3

Published Mar 26, 2026

Tracked Since Mar 27, 2026