Platform
drupal
Component
drupal
Fixed in
1.10.1
1.10.1
CVE-2026-24478 describes a critical Remote Code Execution (RCE) vulnerability within the AnythingLLM application, a Drupal Core module. This flaw stems from a path traversal issue in the DrupalWiki integration, enabling unauthorized file writes. Affected versions include those prior to 1.10.0. The vulnerability has been resolved in version 1.10.0.
An attacker exploiting this vulnerability could leverage a malicious DrupalWiki URL to overwrite critical configuration files or inject executable scripts onto the server. This could lead to complete system compromise, including data exfiltration, denial of service, and further malicious activity. The ability to write arbitrary files grants a significant level of control over the affected Drupal instance. The impact is particularly severe because it requires only administrative privileges within the Drupal environment, making it accessible to insiders or attackers who have gained such access.
This vulnerability was publicly disclosed on 2026-01-27. No public proof-of-concept (POC) code has been released at the time of writing, but the path traversal nature of the vulnerability suggests a relatively low barrier to exploitation. The EPSS score is likely to be medium, reflecting the potential for widespread exploitation given the popularity of Drupal and the ease of exploiting path traversal vulnerabilities. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.22% (44% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24478 is to immediately upgrade the AnythingLLM application to version 1.10.0 or later. If upgrading is not immediately feasible, restrict access to the DrupalWiki integration and carefully validate any URLs provided by administrators. Consider implementing stricter file permission controls on the server to limit the impact of potential file writes. Review DrupalWiki configurations for any suspicious entries. After upgrading, confirm the fix by attempting to access a DrupalWiki URL with a path traversal payload and verifying that the server rejects the request.
Actualice AnythingLLM a la versión 1.10.0 o posterior. Esta versión contiene la corrección para la vulnerabilidad de Path Traversal. Se recomienda realizar la actualización lo antes posible para evitar posibles ataques.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24478 is a Remote Code Execution vulnerability in the AnythingLLM application for Drupal Core, allowing attackers to potentially execute arbitrary code on the server.
You are affected if you are using Drupal Core with the AnythingLLM application in a version prior to 1.10.0.
Upgrade the AnythingLLM application to version 1.10.0 or later to resolve the vulnerability. Restrict access to the DrupalWiki integration as a temporary workaround.
While no public exploits are currently known, the path traversal nature of the vulnerability suggests a potential for exploitation.
Refer to the official Drupal security advisory for CVE-2026-24478 on the Drupal website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.