Blog Details

Drupal is warning that hackers are attempting to express a “highly critical” SQL injection vulnerability announced earlier this week.

The roar management machine (CMS) mission printed a PSA on May perchance 18, urging directors to reserve time for core updates that addressed a project that threat actors would perhaps perchance furthermore originate exploiting “within hours or days.”

The flaw is now tracked as CVE-2026-9082 and modified into came across by Google/Mandiant researcher Michael Maturi. It affects Drupal’s database abstraction API. It permits particularly crafted requests to set aside off arbitrary SQL injection on sites using PostgreSQL.

SQL injection is a flaw whereby attackers inject malicious SQL commands into database queries by potential of particular person enter fields or dialogs on internet sites, resulting in unauthorized obtain admission to, modification, or deletion of database data.

The flaw is exploitable without authentication and will lead to a long way away code execution, privilege escalation, and data disclosure.

In an update to the advisory on May perchance 22, Drupal confirmed that exploitation attempts absorb been detected.

“The danger win has been up to this point to mirror that exploit attempts are if truth be told being detected within the wild,” reads the up to this point advisory.

Drupal rated the vulnerability as “highly serious,” assigning it an inside of win of 23 out of 25. On the opposite hand, NIST has rated it as “medium severity” in conserving with a CVSS v3 win of 6.5.

Affect and proposals

CVE-2026-9082 impacts a broad differ of Drupal versions, in conjunction with:

• Drupal 8.9.x
• Drupal 10.4.x ahead of 10.4.10
• Drupal 10.5.x ahead of 10.5.10
• Drupal 10.6.x ahead of 10.6.9
• Drupal 11.0.x / 11.1.x ahead of 11.1.10
• Drupal 11.2.x ahead of 11.2.12
• Drupal 11.3.x ahead of 11.3.10

Web set aside homeowners and directors are suggested to present a take to straight to primarily the most usual version readily out there for his or her division.

Those no longer using PostgreSQL are aloof urged to update, as primarily the most usual security updates furthermore encompass fixes for upstream dependencies, in conjunction with Symfony and Twig.

The advisory underlines that Drupal 8 and 9 are finish-of-lifestyles (EoL), and that patches are equipped on a “only-effort” foundation; nonetheless, those branches aloof absorb diversified known vulnerabilities, so continuing their express is inherently unsafe.