CVE-2026-1556

Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://d7es.tag1.com/security-advisories/file-field-paths-moderately-critical-file-path-manipulation	Third Party Advisory
https://www.herodevs.com/vulnerability-directory/cve-2026-1556	Exploit Third Party Advisory Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:deciphered:filefield_paths:*:*:*:*:*:drupal:*:*

History

02 Apr 2026, 20:33

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:deciphered:filefield_paths::::::drupal::*
References	~~() https://d7es.tag1.com/security-advisories/file-field-paths-moderately-critical-file-path-manipulation -~~	() https://d7es.tag1.com/security-advisories/file-field-paths-moderately-critical-file-path-manipulation - Third Party Advisory
References	~~() https://www.herodevs.com/vulnerability-directory/cve-2026-1556 -~~	() https://www.herodevs.com/vulnerability-directory/cve-2026-1556 - Exploit, Third Party Advisory, Mitigation
First Time		Deciphered Deciphered filefield Paths
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

30 Mar 2026, 13:26

Type	Values Removed	Values Added
Summary		(es) Revelación de información en el procesamiento de URI de archivo de Rutas de Archivo (Campo) en Drupal File (Field) Paths 7.x anterior a 7.1.3 en Drupal 7.x permite a usuarios autenticados revelar archivos privados de otros usuarios mediante cargas por colisión de nombres de archivo. Esto puede causar que consumidores de hook_node_insert() (por ejemplo, módulos de adjuntos de correo electrónico) reciban la URI de archivo incorrecta, eludiendo los controles de acceso normales en archivos privados.

26 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-26 22:16

Updated : 2026-04-02 20:33

NVD link : CVE-2026-1556

Mitre link : CVE-2026-1556

CVE.ORG link : CVE-2026-1556

JSON object : View

Products Affected

deciphered

filefield_paths

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

6.5 /10