DrupalSecurityTeam · G-Rath · Jun 19, 2026 · Jun 18, 2026
diff --git a/advisories/core/DRUPAL-CORE-2026-005.json b/advisories/core/DRUPAL-CORE-2026-005.json
@@ -1,12 +1,12 @@
 {
   "schema_version": "1.7.0",
   "id": "DRUPAL-CORE-2026-005",
-  "modified": "2026-06-17T18:56:50.000Z",
+  "modified": "2026-06-18T00:37:19.000Z",
   "published": "2026-06-17T18:56:50.000Z",
   "aliases": [
     "CVE-2026-55803"
   ],
-  "details": "[SA-CORE-2019-003](https://www.drupal.org/sa-core-2019-003) added protection for fields that store serialized data to disallow direct writes via web services.\n\nThe above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain rare circumstances, potentially resulting in PHP Object Injection.\n\nThis vulnerability is mitigated by the fact that in order to be exploitable:\n\n* A site must use an entity reference field type that stores a serialized property.\n* An attacker must have permission to write to the entity via JSON:API.\n\nNo field type shipped with Drupal core meets these criteria, and contributed or user-created field types that do appear to be extremely unusual. This update protects all such fields; no changes are required in contributed modules.\n\nJSON:API is read-only by default, so sites are only affected if they have enabled write access (either through administrator configuration or the installation of a contributed or custom module that enables write access).\n\n#### Drupal Steward protection:\n\nThis issue is being protected by [Drupal Steward](https://www.drupal.org/steward). In this instance, we believe that the WAF rule will provide mitigation for the common/obvious vulnerability paths, but may not be able to cover all cases or work for all hosting providers. Additionally, several other core security advisories released today are *not* mitigated by Drupal Steward. Therefore, our recommended action is still to plan an actual Drupal update within 24 hours of this release.",
+  "details": "[SA-CORE-2019-003](https://www.drupal.org/sa-core-2019-003) added protection for fields that store serialized data to disallow direct writes via web services.\n\nThe above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain rare circumstances, potentially resulting in PHP Object Injection.\n\nThis vulnerability is mitigated by the fact that in order to be exploitable:\n\n* A site must use an entity reference field type that stores a serialized property.\n* An attacker must have permission to write to the entity via JSON:API.\n\nNo field type shipped with Drupal core meets these criteria, and contributed or user-created field types that do appear to be extremely unusual. This update protects all such fields; no changes are required in contributed modules.\n\nJSON:API is read-only by default, so sites are only affected if they have enabled write access (either through administrator configuration or the installation of a contributed or custom module that enables write access).\n\n#### Drupal Steward protection:\n\nThis issue is being protected by [Drupal Steward](https://www.drupal.org/steward). In this instance, we believe that the WAF rule will provide mitigation for the common/obvious vulnerability paths, but may not cover all cases or work for all hosting providers. Additionally, several other core security advisories released today are *not* mitigated by Drupal Steward. Therefore, our recommended action is still to plan an actual Drupal update within 24 hours of this release.",
   "affected": [
     {
       "package": {