Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks
The Hacker News • • technology
Key Points:
- Drupal has issued security updates for a "highly critical" vulnerability (CVE-2026-9082) in its Core database abstraction API that could enable remote code execution, privilege escalation, or information disclosure.
- The flaw affects sites using PostgreSQL databases and can be exploited by anonymous users through specially crafted requests leading to arbitrary SQL injection.
- Fixed versions include Drupal 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10, while Drupal 7 is not affected.
- Manual patches are available for end-of-life Drupal 9 and 8 versions, but unsupported releases do not receive official security coverage and may remain vulnerable.
- The latest updates also include upstream security fixes for Symfony and Twig, making it crucial for users to upgrade to supported versions promptly.