Drupal is warning that hackers are trying to take advantage of a “extremely essential” SQL injection vulnerability introduced earlier this week.
The content material administration system (CMS) mission printed a PSA on Might 18, urging directors to order time for core updates that addressed a problem that menace actors would possibly begin exploiting “inside hours or days.”
The flaw is now tracked as CVE-2026-9082 and was found by Google/Mandiant researcher Michael Maturi. It impacts Drupal’s database abstraction API. It permits specifically crafted requests to set off arbitrary SQL injection on websites utilizing PostgreSQL.
SQL injection is a flaw through which attackers inject malicious SQL instructions into database queries through consumer enter fields or dialogs on web sites, leading to unauthorized entry, modification, or deletion of database information.
The flaw is exploitable with out authentication and will end in distant code execution, privilege escalation, and knowledge disclosure.
In an replace to the advisory on Might 22, Drupal confirmed that exploitation makes an attempt have been detected.
“The danger rating has been up to date to mirror that exploit makes an attempt at the moment are being detected within the wild,” reads the up to date advisory.
Drupal rated the vulnerability as “extremely essential,” assigning it an inside rating of 23 out of 25. Nonetheless, NIST has rated it as “medium severity” primarily based on a CVSS v3 rating of 6.5.
Influence and suggestions
CVE-2026-9082 impacts a broad vary of Drupal variations, together with:
- Drupal 8.9.x
- Drupal 10.4.x earlier than 10.4.10
- Drupal 10.5.x earlier than 10.5.10
- Drupal 10.6.x earlier than 10.6.9
- Drupal 11.0.x / 11.1.x earlier than 11.1.10
- Drupal 11.2.x earlier than 11.2.12
- Drupal 11.3.x earlier than 11.3.10
Web site house owners and directors are advisable to improve instantly to the most recent model out there for his or her department.
These not utilizing PostgreSQL are nonetheless suggested to replace, as the most recent security updates additionally embody fixes for upstream dependencies, together with Symfony and Twig.
The advisory underlines that Drupal 8 and 9 are end-of-life (EoL), and that patches are supplied on a “best-effort” foundation; nevertheless, these branches nonetheless comprise different recognized vulnerabilities, so persevering with their use is inherently dangerous.
Automated pentesting instruments ship actual worth, however they had been constructed to reply one query: can an attacker transfer via the community? They weren’t constructed to check whether or not your controls block threats, your detection guidelines fireplace, or your cloud configs maintain.
This information covers the 6 surfaces you truly have to validate.
Obtain Now
