vulnerability
FreeBSD: VID-9b8a52fc-89c1-11e9-9ba0-4c72b94353b5: drupal -- Drupal core - Moderately critical
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | Jun 8, 2019 | Jun 8, 2019 | Dec 10, 2025 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
Jun 8, 2019
Added
Jun 8, 2019
Modified
Dec 10, 2025
Description
Drupal Security Team reports: CVE-2019-11831: By-passing protection of Phar Stream Wrapper Interceptor. In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.
Solutions
freebsd-upgrade-package-drupal7freebsd-upgrade-package-drupal8
References
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.