Overview
- Drupal published coordinated security fixes during its May 20 release window and told site operators to reserve that time to apply updates without delay.
- The flaw is in Drupal’s database abstraction API and allows specially crafted requests to cause arbitrary SQL injection on sites that use PostgreSQL, which can lead to information disclosure, privilege escalation, or remote code execution.
- The vulnerability is tracked as CVE-2026-9082 and carries a CVSS score of 6.5 from CVE.org.
- Security updates are available for supported branches (including 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10), manual hotfix files were provided as a best effort for end-of-life 8 and 9 branches, and Drupal 7 is not affected; Drupal strongly recommends upgrading to a supported release such as 10.6 or newer.
- Because Drupal powers many government, education, and enterprise sites and past high-severity bugs have been rapidly exploited, administrators should patch now, expect active scanning or exploit attempts, and plan full upgrades for any systems still on unsupported releases.