Drupal has released a security update for a “very critical” security vulnerability in Drupal Core. This vulnerability could be exploited by an attacker to accomplish remote code execution, privilege escalation, or information disclosure.
This vulnerability is currently tracked as CVE-2026-9082 and has a CVSS score of 6.5 out of 10.0, according to CVE.org. According to Drupal, the vulnerability exists in the database abstraction API used by Drupal Core to validate queries and ensure they are sanitized against SQL injection attacks.
“A vulnerability in this API could allow an attacker to send a specially crafted request, resulting in arbitrary SQL injection to sites using PostgreSQL databases.” “This can lead to information disclosure and, in some cases, privilege escalation, remote code execution, and other attacks.”
Drupal noted that this security flaw could be exploited by anonymous users, and only sites using PostgreSQL are affected. The next version addresses this issue.
Drupal 11.3.10 Drupal 11.2.12 Drupal 11.1.10 Drupal 10.6.9 Drupal 10.5.10 Drupal 10.4.10
Drupal 7 is not affected. Releases in the supported branches (versions 11.3, 11.2, 10.6, and 10.5) include upstream security updates for Symfony and Twig, so it is essential to install the latest version.
As previously disclosed by Drupal, a manual patch has also been released for Drupal versions 9 and 8, which are no longer supported.
“Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and lower are no longer supported and are not covered by security,” Drupal says. “Both Drupal 8 and Drupal 9 have reached end of support.
“Due to the severity of this issue, patches for unsupported releases and unsupported versions are being provided as a best effort. Other previously disclosed security vulnerabilities still exist in these unsupported versions.”
Source link
