Drupal Patches Critical Security Flaw That Could Let Hackers Take Over Websites
Drupal has issued critical security updates to address a serious vulnerability in its core content management system that could allow attackers to execute malicious code, escalate their privileges, or extract sensitive data from affected websites. The flaw affects a significant portion of Drupal installations but is limited to those running PostgreSQL databases, leaving MySQL and SQLite users protected from this particular attack vector.
The vulnerability, tracked as CVE-2026-9082 with a severity rating of 6.5 out of 10, stems from improper validation in how Drupal sanitizes database queries to prevent SQL injection attacks. Attackers can exploit this weakness by sending specially crafted requests to vulnerable sites, potentially compromising data integrity and system security. What makes this particularly concerning is that the flaw can be exploited by anyone without special authentication, though only PostgreSQL installations are at risk.
Drupal has released patches for currently supported versions including 11.3, 11.2, 10.6, and 10.5, with Drupal 7 confirmed as unaffected. These updates also include important security fixes for underlying components like Symfony and Twig, making installation essential even for sites not running PostgreSQL. In an unusual move, Drupal has also provided manual patches for end-of-life versions 8 and 9 due to the severity of the issue, though they caution that these unsupported versions will remain vulnerable to other known security problems.
The situation has become more urgent with Searchlight Cyber releasing proof-of-concept exploit code that demonstrates how the vulnerability can be actively exploited against PostgreSQL-based Drupal sites. Administrators are strongly advised to update their installations immediately, regardless of database backend, to protect against this SQL injection flaw and benefit from the additional security improvements included in the latest releases.
Stay secure — stay Wavasec. 🔐
