Drupal has launched security updates for a “extremely essential” security vulnerability in Drupal Core that might be exploited by attackers to realize distant code execution, privilege escalation, or data disclosure.
The vulnerability, now tracked as CVE-2026-9082, carries a CVSS rating of 6.5 out of 10.0, per CVE.org. Drupal mentioned the vulnerability resides in a database abstraction API that’s utilized in Drupal Core to validate queries and guarantee they’re sanitized in opposition to SQL injection assaults.
“A vulnerability on this API permits an attacker to ship specifically crafted requests, leading to arbitrary SQL injection for websites utilizing PostgreSQL databases,” it mentioned. “This could result in data disclosure, and in some instances privilege escalation, distant code execution, or different assaults.”
Drupal famous the security flaw might be exploited by nameless customers, and impacts solely websites that use PostgreSQL. The next variations handle the difficulty –
- Drupal 11.3.10
- Drupal 11.2.12
- Drupal 11.1.10
- Drupal 10.6.9
- Drupal 10.5.10
- Drupal 10.4.10
Drupal 7 is not affected. The releases for supported branches (variations 11.3, 11.2, 10.6, and 10.5) embody upstream security updates for Symfony and Twig, making it important that the newest variations are put in.
As beforehand disclosed by Drupal, handbook patches have additionally been launched for Drupal variations 9 and eight, which have reached end-of-life –
“Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and beneath are end-of-life and don’t obtain security protection,” Drupal mentioned. “Drupal 8 and Drupal 9 have each reached end-of-life.
“As a consequence of this difficulty’s severity, the unsupported releases and patches for unsupported variations are supplied as a finest effort. These unsupported variations will nonetheless produce other, beforehand disclosed security vulnerabilities.”
