Drupal has patched a extremely crucial vulnerability that would enable risk actors to hack web sites powered by the open supply content material administration system (CMS).
The builders of the CMS had alerted customers previous to the patch’s launch that an exploit may be created inside hours or days of disclosure.
The vulnerability, tracked as CVE-2026-9082 and rated ‘extremely crucial’ with a NIST CMSS rating of 20 out of 25, impacts an API designed to make sure that database queries are sanitized to forestall SQL injection assaults.
“A vulnerability on this API permits an attacker to ship specifically crafted requests, leading to arbitrary SQL injection for websites utilizing PostgreSQL databases,” Drupal explains.
It warns that the flaw may be exploited with out authentication to acquire data and in some instances for privilege escalation and distant code execution.
Drupal powers a whole bunch of 1000’s of internet sites, however CVE-2026-9082 solely impacts websites that use PostgreSQL.
Patches can be found for Drupal variations 11.3, 11.2, 10.6, and 10.5.x.
The newest updates additionally deal with ‘vital’ vulnerabilities in Symfony and Twig that have an effect on Drupal.
“Relying in your web site configuration and contrib modules, you might be susceptible to a number of of those upstream points, so updating these dependencies is very really useful whether or not the SQL Injection vulnerability impacts you or not,” Drupal recommends.
Vulnerabilities are often patched in Drupal, however few of them are extreme, and there hasn’t been a ‘extremely crucial’ flaw in years.
There haven’t been any experiences of latest Drupal flaws being exploited within the wild since 2019. Within the years main as much as 2019, a number of vulnerabilities have been exploited, together with Drupalgeddon and Drupalgeddon2, which have been used to hack many web sites.
