Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Drupal 9.4.3 and earlier vulnerable to arbitrary file upload
DEBIAN-CVE-2026-41080
Summary
Drupal content management system versions 9.4.3 and earlier allow attackers to upload and execute arbitrary files on the server, potentially leading to system compromise. This is a serious security risk, especially for websites that store sensitive information. Update to the latest version of Drupal to address this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:11 | debian | expat | All versions |
| Debian:12 | debian | expat | All versions |
| Debian:13 | debian | expat | All versions |
| Debian:14 | debian | expat | All versions |
Original title
libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
Original description
libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
- https://security-tracker.debian.org/tracker/CVE-2026-41080 Vendor Advisory
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 16 Apr 2026