CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

PostgreSQL-targeting SQL injection in Drupal Core enables remote code execution

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A highly critical SQL injection vulnerability in Drupal Core's database abstraction API can grant unauthenticated attackers remote code execution, privilege escalation, or information disclosure on Drupal sites using PostgreSQL. The flaw, tracked as CVE-2026-9082 with a CVSS score of 6.5, allows arbitrary SQL execution via crafted requests sent to PostgreSQL-backed Drupal installations. Exploitation does not require authentication, affecting only PostgreSQL sites. The issue spans multiple supported Drupal versions and has prompted urgent patching for active branches and manual fixes for end-of-life releases.

Timeline

  1. 21.05.2026 06:44 1 articles · 4h ago

    Critical SQL injection in Drupal Core’s PostgreSQL abstraction API patched across supported versions

    A critical SQL injection vulnerability in Drupal Core’s database abstraction API allows unauthenticated attackers to execute arbitrary SQL commands on PostgreSQL-backed Drupal installations. Patches have been issued for active Drupal branches (11.3, 11.2, 10.6, 10.5) and manual fixes provided for end-of-life versions (9.5, 8.9). Drupal 7 and lower branches are unaffected. Immediate updates are required to prevent potential remote code execution and privilege escalation.

    Show sources
    Open in new tab

Information Snippets