Drupal warns that hackers try to use a “very severe” SQL injection vulnerability introduced earlier this week.
The Content material Administration System (CMS) Mission issued a PSA on Might 18 asking directors to permit time for core updates that tackle points that risk actors may start to use “inside hours or days.”
This flaw is at present tracked as CVE-2026-9082 and was found by Google/Mandiant researcher Michael Maturi. This impacts Drupal’s database abstraction API. This enables specifically crafted requests to set off arbitrary SQL injections on websites utilizing PostgreSQL.
SQL injection is a flaw that permits an attacker to inject malicious SQL instructions right into a database question by way of a consumer enter area or dialog on a web site, leading to unauthorized entry, modification, or deletion of database information.
This flaw might be exploited with out authentication and will result in distant code execution, elevated privileges, and data disclosure.
In an advisory replace on Might twenty second, Drupal confirmed that an exploitation try had been detected.
The up to date advisory states, “The danger rating has been up to date to replicate that the exploit try is now being detected within the wild.”
Drupal rated this vulnerability as “Very Crucial” and assigned an inner rating of 23 out of 25. Nevertheless, NIST rated this vulnerability as “reasonable severity” primarily based on a CVSS v3 rating of 6.5.
Impression and proposals
CVE-2026-9082 impacts a variety of Drupal variations, together with:
- Drupal 8.9.x
- Drupal 10.4.x earlier than Drupal 10.4.10
- Drupal 10.5.x earlier than Drupal 10.5.10
- Drupal 10.6.x earlier than Drupal 10.6.9
- Drupal 11.0.x / 11.1.x earlier than 11.1.10
- Drupal 11.2.x earlier than Drupal 11.2.12
- Drupal 11.3.x earlier than Drupal 11.3.10
We suggest that web site homeowners and directors instantly improve to the most recent model out there on the department.
The newest safety updates additionally embody fixes for upstream dependencies resembling Symfony and Twig, so we suggest updating them even if you happen to do not use PostgreSQL.
The advisory emphasizes that Drupal 8 and 9 are at Finish of Life (EoL) and patches can be supplied on a “finest effort” foundation. Nevertheless, these branches nonetheless comprise different recognized vulnerabilities, so persevering with to make use of them is inherently dangerous.
Automated penetration testing instruments supply actual worth, however they have been constructed to reply one query: Can an attacker get by way of your community? They don’t seem to be constructed to check whether or not controls block threats, detection guidelines hearth, or cloud configurations are preserved.
This information describes six surfaces that you need to truly look at.
Obtain now
