CVE-2026-1556
MEDIUMInformation disclosure via file URI overwrite in File (Field) Paths
Title source: cnaDescription
Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.
References (2)
Core 2
Core References
Third Party Advisory third-party-advisory
https://www.herodevs.com/vulnerability-directory/cve-2026-1556
Third Party Advisory third-party-advisory
https://d7es.tag1.com/security-advisories/file-field-paths-moderately-critical-file-path-manipulation
Scores
CVSS v3
6.5
EPSS
0.0039
EPSS Percentile
30.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
deciphered/filefield_paths
< 7.x-1.3
Drupal/Drupal File (Field) Paths
7.x-1.0 - 7.x-1.3
Published
Mar 26, 2026
Tracked Since
Mar 27, 2026