—

DRUPAL-CORE-2026-007

Details

Drupal core ships a `rebuild.php` front controller that can be used to rebuild Drupal (clearing the caches and rebuilding the container) when the site is in an unexpected condition.

This script doesn't correctly check the Host header against the list of trusted host patterns. This could result in cache poisoning or a redirect to an attacker-controlled domain.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / drupal/core

Introduced in: 0 Fixed in: 10.5.12

Fix composer require drupal/core:^10.5.12

References

https://www.drupal.org/sa-core-2026-007 [WEB]