—

DRUPAL-CORE-2026-008

Details

The Media module comes with support for oEmbed. The oEmbed specification contains two discovery mechanisms, via `providers.json` and via URL discovery.

The URL discovery code could be leveraged to trick Drupal into making server-side requests to any URL.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / drupal/core

Introduced in: 0 Fixed in: 10.5.12

Fix composer require drupal/core:^10.5.12

References

https://www.drupal.org/sa-core-2026-008 [WEB]