Drupal is caution that hackers are making an attempt to milk a “extremely crucial” SQL injection vulnerability introduced previous this week.
The content material control device (CMS) undertaking revealed a PSA on Would possibly 18, urging directors to order time for core updates that addressed a subject matter that danger actors would possibly get started exploiting “inside of hours or days.”
The flaw is now tracked as CVE-2026-9082 and was once came upon by means of Google/Mandiant researcher Michael Maturi. It impacts Drupal’s database abstraction API. It lets in specifically crafted requests to cause arbitrary SQL injection on websites the usage of PostgreSQL.
SQL injection is a flaw by which attackers inject malicious SQL instructions into database queries by the use of person enter fields or dialogs on web pages, leading to unauthorized get right of entry to, amendment, or deletion of database knowledge.
The flaw is exploitable with out authentication and may just lead to faraway code execution, privilege escalation, and data disclosure.
In an replace to the advisory on Would possibly 22, Drupal showed that exploitation makes an attempt were detected.
“The danger rating has been up to date to replicate that exploit makes an attempt at the moment are being detected within the wild,” reads the up to date advisory.
Drupal rated the vulnerability as “extremely crucial,” assigning it an inner rating of 23 out of 25. Then again, NIST has rated it as “medium severity” in response to a CVSS v3 rating of 6.5.
Affect and proposals
CVE-2026-9082 affects a huge vary of Drupal variations, together with:
- Drupal 8.9.x
- Drupal 10.4.x prior to 10.4.10
- Drupal 10.5.x prior to 10.5.10
- Drupal 10.6.x prior to 10.6.9
- Drupal 11.0.x / 11.1.x prior to 11.1.10
- Drupal 11.2.x prior to 11.2.12
- Drupal 11.3.x prior to 11.3.10
Web site house owners and directors are really helpful to improve in an instant to the newest model to be had for his or her department.
The ones now not the usage of PostgreSQL are nonetheless suggested to replace, as the newest safety updates additionally come with fixes for upstream dependencies, together with Symfony and Twig.
The advisory underlines that Drupal 8 and 9 are end-of-life (EoL), and that patches are supplied on a “best-effort” foundation; then again, the ones branches nonetheless comprise different identified vulnerabilities, so proceeding their use is inherently dangerous.
Automatic pentesting equipment ship actual price, however they have been constructed to respond to one query: can an attacker transfer during the community? They weren’t constructed to check whether or not your controls block threats, your detection laws fireplace, or your cloud configs grasp.
This information covers the 6 surfaces you in fact wish to validate.
Obtain Now
