Drupal Security Alert: New SQL Injection Vulnerability Exploited by Hackers
Critical SQL Injection Flaw Targets Drupal Websites
A highly critical SQL injection vulnerability, identified as CVE-2026-9082, has emerged as a pressing concern for Drupal website administrators.
This type of vulnerability can lead to unauthorized access, modification, or deletion of database data. SQL injection is a remotely exploitable weakness that affects sites using PostgreSQL, allowing attackers to execute arbitrary SQL code without authentication.
The Impact Extends Beyond Drupal
The flaw also affects various upstream dependencies, including Symfony and Twig. Website owners and administrators are urged to update their systems, even if they do not use PostgreSQL, to ensure they receive the latest security patches.
Affected Versions and Urgent Attention Required
The vulnerability is present across a wide range of Drupal versions, including:
- Drupal 8.9.x
- Drupal 10.4.x
- Drupal 10.5.x
- Drupal 10.6.x
- Drupal 11.0.x/11.1.x
- Drupal 11.2.x/11.3.x
Affected versions prior to 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10 require urgent attention, even though Drupal 8 and 9 are considered end-of-life. Patches are still being provided on a best-effort basis, but continued use of these branches poses inherent risks due to known vulnerabilities.
Recommended Steps to Address the Issue
Website owners and administrators are strongly advised to take immediate action:
- Back up their site
- Update their core
- Test critical paths in staging before proceeding
- Review and adjust any custom code to ensure compatibility with the updated version
- Verify the effectiveness of their security measures and updates
By following these precautions, website administrators can minimize the risk associated with this vulnerability and maintain the integrity of their Drupal-based platforms.
About Author
English