Improper Input Validation Affecting drupal-10.6 package, versions <10.6.11-r0
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Improper Input Validation vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-MINIMOSLATEST-DRUPAL106-17371127
- published18 Jun 2026
- disclosed11 Jun 2026
Introduced: 11 Jun 2026
NewCVE-2026-48998 (opens in a new tab)How to fix?
Upgrade Minimos:latest drupal-10.6 to version 10.6.11-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream drupal-10.6 package and not the drupal-10.6 package as distributed by Minimos.
See How to fix? for Minimos:latest relevant fixed versions and status.
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 contain improper Host header validation when parsing raw HTTP request messages and when deriving a server request URI from server variables. An attacker can provide a malformed Host header containing URI authority delimiters, such as trusted.example@evil.example. When the Host value is used to construct a URI, the malformed value can be reinterpreted as URI userinfo and host. This can cause the PSR-7 request URI host to differ from the original Host header value. Applications are affected if they parse attacker-controlled raw HTTP requests with GuzzleHttp\Psr7\Message::parseRequest() or the legacy 1.x GuzzleHttp\Psr7\parse_request() function, or if they build server requests from attacker-controlled server variables, then rely on the resulting URI host for routing, allow-list checks, or forwarding decisions. In affected forwarding or gateway scenarios, this may cause requests or credentials to be sent to an unintended host. The issue is patched in 2.10.2. 1.x is end-of-life and will not receive a patch. Some workarounds are available. Validate the Host header as uri-host [ ":" port ] before calling Message::parseRequest() or legacy parse_request() on untrusted HTTP request data, or before deriving routing and forwarding decisions from a parsed request URI. Reject Host values containing userinfo, path, query, or fragment delimiters.