The score goes to the clock, and delay threatens to irrevocably lose confidential information.
Site administrators on Drupal need to urgently check the version of the engine, especially if the project works with PostgreSQL. In the CMS kernel, a vulnerability through which an attacker can get to the site’s data, raise the rights, and in some scenarios, run the code on the server.
The problem received the CVE-2026-9082 identifier and a score of 6.5 points on the CVSS scale. Despite not the highest rating, Drupal classified the vulnerability as “highly critical” due to possible consequences. No account is required for operation; requests can be sent by an anonymous user.
The vulnerability affects the database abstraction API in Drupal Core. Such a mechanism checks queries and helps protect sites from SQL injections. The error in the inspection allows you to send a specially prepared request and conduct an arbitrary SQL injection on sites that use PostgreSQL.
Drupal command has released the corrected versions of 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10 and 10.4.10. Drupal 7, according to the project, is not affected. For supported branches 11.3, 11.2, 10.6 and 10.5, fresh builds also include Symfony and Twig security updates, so delaying the transition to new versions is risky.
Separate manual mount fixes are prepared for Drupal 9.5 and 8.9, although both branches have already been removed from support. The developers emphasize that such builds are released only as temporary assistance due to the seriousness of the problem. The old versions still retain other previously disclosed уязвимостиvulnerabilities, and Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x and earlier branches no longer receive full-fledged accompaniment.
Site administrators on Drupal need to urgently check the version of the engine, especially if the project works with PostgreSQL. In the CMS kernel, a vulnerability through which an attacker can get to the site’s data, raise the rights, and in some scenarios, run the code on the server.
The problem received the CVE-2026-9082 identifier and a score of 6.5 points on the CVSS scale. Despite not the highest rating, Drupal classified the vulnerability as “highly critical” due to possible consequences. No account is required for operation; requests can be sent by an anonymous user.
The vulnerability affects the database abstraction API in Drupal Core. Such a mechanism checks queries and helps protect sites from SQL injections. The error in the inspection allows you to send a specially prepared request and conduct an arbitrary SQL injection on sites that use PostgreSQL.
Drupal command has released the corrected versions of 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10 and 10.4.10. Drupal 7, according to the project, is not affected. For supported branches 11.3, 11.2, 10.6 and 10.5, fresh builds also include Symfony and Twig security updates, so delaying the transition to new versions is risky.
Separate manual mount fixes are prepared for Drupal 9.5 and 8.9, although both branches have already been removed from support. The developers emphasize that such builds are released only as temporary assistance due to the seriousness of the problem. The old versions still retain other previously disclosed уязвимостиvulnerabilities, and Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x and earlier branches no longer receive full-fledged accompaniment.
