Drupal core security update for CVE-2026-9082
Security Patch Release
Summary
Hide ▲
Show ▼
Drupal released security updates for CVE-2026-9082, a highly critical SQL injection flaw affecting PostgreSQL-backed sites, and urged administrators to upgrade immediately. The update covers multiple Drupal branches, including 10.x and 11.x, and also includes fixes for upstream dependencies such as Symfony and Twig. The advisory matters because the flaw is unauthenticated and exploit attempts were already being detected in the wild.
Related Happenings
JCE Pro 2.9.99.6 patch for CVE-2026-48907
Security Patch Release
H score46
First: 17.06.2026 13:09
Last: 17.06.2026 13:09
Sources 1
About this happening:
**JCE security team** released **JCE Pro 2.9.99.6** in **early June 2026** to fix **CVE-2026-48907** in the **Widget Factory Joomla Content Editor (JCE) plugin**. The update addre...
JCE Pro 2.9.99.6 patch for CVE-2026-48907
Security Patch ReleaseAbout this happening: **JCE security team** released **JCE Pro 2.9.99.6** in **early June 2026** to fix **CVE-2026-48907** in the **Widget Factory Joomla Content Editor (JCE) plugin**. The update addre...
Ivanti Sentry patch release for CVE-2026-10520 and CVE-2026-10523
Security Patch Release
H score54
First: 10.06.2026 09:26
Last: 10.06.2026 09:26
Sources 1
About this happening:
**Ivanti** released a **patch bundle** for **Sentry** after identifying **two critical vulnerabilities** in the secure mobile gateway appliance, including **CVE-2026-10520** and *...
Ivanti Sentry patch release for CVE-2026-10520 and CVE-2026-10523
Security Patch ReleaseAbout this happening: **Ivanti** released a **patch bundle** for **Sentry** after identifying **two critical vulnerabilities** in the secure mobile gateway appliance, including **CVE-2026-10520** and *...
Gogs 0.14.3 security update for argument injection flaw
Security Patch Release
H score60
First: 08.06.2026 19:18
Last: 08.06.2026 19:18
Sources 1
About this happening:
The **Gogs maintainers** shipped **version 0.14.3** to fix a critical **argument injection** zero-day that could let attackers compromise **Internet-facing instances** and reach *...
Gogs 0.14.3 security update for argument injection flaw
Security Patch ReleaseAbout this happening: The **Gogs maintainers** shipped **version 0.14.3** to fix a critical **argument injection** zero-day that could let attackers compromise **Internet-facing instances** and reach *...
LiteSpeed cPanel user-end plugin urgent security update (CVE-2026-48172)
Security Patch Release
H score42
First: 27.05.2026 13:06
Last: 27.05.2026 13:06
Sources 1
About this happening:
LiteSpeed released **urgent security updates** for the **cPanel user-end plugin** after **CVE-2026-48172** was found to be **actively exploited**, reducing exposure for systems ru...
LiteSpeed cPanel user-end plugin urgent security update (CVE-2026-48172)
Security Patch ReleaseAbout this happening: LiteSpeed released **urgent security updates** for the **cPanel user-end plugin** after **CVE-2026-48172** was found to be **actively exploited**, reducing exposure for systems ru...
Latest development: 16.06.2026 13:47
CISA added CVE-2026-48172/CVE-2026-54420 in the LiteSpeed cPanel user-end plugin to the Known Exploited Vulnerabilities Catalog and ordered Federal Civilian Executive Branch agencies to secure affected servers within three days under BOD 26-04. The affected plugin versions before 2.4.8 are described as actively exploited, with FTP or web shell access enabling root escalation on shared hosting servers running CloudLinux/CageFS.
CISA orders FCEB patching for CVE-2026-9082
Public Sector Action
H score70
First: 26.05.2026 11:46
Last: 26.05.2026 11:46
Sources 1
How related:
On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their systems by midnight on Wednesday, May 27, as mandated by Binding Operational Directive (BOD) 22-01.
About this happening:
**CISA** added **CVE-2026-9082** to the **KEV Catalog** and ordered **FCEB agencies** to patch **Drupal** by **May 27**, turning an actively exploited flaw into a mandatory federa...
CISA orders FCEB patching for CVE-2026-9082
Public Sector ActionHow related: On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their systems by midnight on Wednesday, May 27, as mandated by Binding Operational Directive (BOD) 22-01.
About this happening: **CISA** added **CVE-2026-9082** to the **KEV Catalog** and ordered **FCEB agencies** to patch **Drupal** by **May 27**, turning an actively exploited flaw into a mandatory federa...
Timeline
-
22.05.2026 03:00 2 articles · 1mo ago
Drupal confirms exploitation attempts for CVE-2026-9082
Detection Ioc UpdateDrupal updated its advisory on May 22, 2026 to say exploitation attempts were being detected in the wild and reiterated that website owners and administrators should upgrade immediately to the latest version available for their branch, including Drupal 10.4.x before 10.4.10, 10.5.x before 10.5.10, 10.6.x before 10.6.9, and 11.0.x / 11.1.x before 11.1.10, with bundled fixes for upstream dependencies such as Symfony and Twig.
Show sources
- Drupal: Critical SQL injection flaw now targeted in attacks — www.bleepingcomputer.com — 22.05.2026 16:14
- CISA orders feds to patch actively exploited Drupal vulnerability — www.bleepingcomputer.com — 26.05.2026 11:46
-
18.05.2026 03:00 2 articles · 1mo ago
Drupal issues PSA for CVE-2026-9082
Initial DisclosureDrupal published a PSA on May 18, 2026 warning administrators to reserve time for core updates after announcing CVE-2026-9082, a highly critical SQL injection flaw in Drupal’s database abstraction API that affects PostgreSQL sites and may be exploited within hours or days.
Show sources
- Drupal: Critical SQL injection flaw now targeted in attacks — www.bleepingcomputer.com — 22.05.2026 16:14
- Drupal: Critical SQL injection flaw now targeted in attacks — www.bleepingcomputer.com — 22.05.2026 16:14