Information disclosure in Drupal File (Field) Paths
CVE-2026-1556
Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This ca…
Vulnerability class: Information Disclosure
EPSS: 0.000 (15.3th percentile) — read the EPSS interpretation.
Affected products
- Drupal File (Field) Paths — versions 7.x-1.0
Weakness classification (CWE)
References
- www.herodevs.com/vulnerability-directory/cve-2026-1556 (third-party-advisory)
- d7es.tag1.com/security-advisories/file-field-paths-moderately-critical-file-pat… (third-party-advisory)