In consequence, Drupal urges admins utilizing these purposes to replace them as properly, whether or not or not the SQL injection vulnerability impacts their techniques. Helpfully, the Drupal repair issued right this moment consists of updates for each Symfony and Twig.
The vulnerability in Drupal’s core, CVE-2026-9082, is in a database abstraction API that ensures queries in opposition to the database are sanitized to stop SQL injection assaults.
In its warning, Drupal stated a vulnerability on this API permits an attacker to ship specifically crafted requests leading to arbitrary SQL injection for websites utilizing PostgreSQL databases. This may result in data disclosure, and, in some instances, privilege escalation, distant code execution (RCE), or different assaults.
The vulnerability may be exploited by nameless customers.
