Bottom Line: Critical SQL injection in Drupal Core (CVE-2026-9082) enables unauthenticated attacks. Urgent updates: 11.3.10, 11.2.12, 10.6.9, 10.5.10. Immediate installation recommended.
A severe SQL injection vulnerability in Drupal Core jeopardizes particularly PostgreSQL-based installations. Attackers can execute arbitrary SQL code without authentication. Updates are urgently recommended for versions 11.3, 11.2, 10.6, and 10.5.
The Drupal project has disclosed a critical security vulnerability (CVE-2026-9082) in the database abstraction API. The vulnerability enables SQL injection attacks through specially crafted requests that can be exploited without authentication by anonymous users.
The vulnerability primarily affects Drupal installations using PostgreSQL databases, but can endanger other systems through dependency updates. Attackers could cause data breaches, escalate privileges, or achieve remote code execution.
Drupal is providing security updates for all supported versions: version 11.3 from 11.3.10, 11.2 from 11.2.12, 10.6 from 10.6.9, and 10.5 from 10.5.10. For end-of-support versions (11.1, 11.0, 10.4 and earlier), targeted patches have been released. End-of-life versions receive manual patches.
CERT.at recommends applying security updates immediately. As an additional precaution, administrators should review which user roles can modify Twig templates, as Symfony and Twig are also being updated.
Source: www.cert.at