{“lastseen”:”2026-05-21T04:14:29″,”description”:”\\n\\nDrupal has released security updates for a \\”highly critical\\” security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure.\\n\\nThe vulnerability, now tracked as **CVE-2026-9082**, carries a CVSS score of 6.5 out of 10.0, per CVE.org. Drupal said the vulnerability resides in a database abstraction API that is used in Drupal Core to validate queries and ensure they are sanitized against SQL injection attacks.\\n\\n\\”A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases,\\” it said. \\”This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.\\”\\n\\nDrupal noted the security flaw can be exploited by anonymous users, and impacts only sites that use PostgreSQL. The following versions address the issue -\\n\\n * Drupal 11.3.10\\n * Drupal 11.2.12\\n * Drupal 11.1.10\\n * Drupal 10.6.9\\n * Drupal 10.5.10\\n * Drupal 10.4.10\\n\\n\\n\\nDrupal 7 isn’t affected. The releases for supported branches (versions 11.3, 11.2, 10.6, and 10.5) include upstream security updates for Symfony and Twig, making it essential that the latest versions are installed.\\n\\nAs previously disclosed by Drupal, manual patches have also been released for Drupal versions 9 and 8, which have reached end-of-life -\\n\\n * Drupal 9.5\\n * Drupal 8.9\\n\\n\\n\\n\\”Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage,\\” Drupal said. \\”Drupal 8 and Drupal 9 have both reached end-of-life. \\n\\n\\”Due to this issue’s severity, the unsupported releases and patches for unsupported versions are provided as a best effort. Those unsupported versions will still have other, previously disclosed security vulnerabilities.\\”\\n\\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2026-05-21T03:44:00″,”modified”:”2026-05-21T03:59:40″,”type”:”thn”,”title”:”Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks”,”source”:””,”references”:””,”id”:”THN:C4052E6A3AF91D2CC9C9BB647C097470″,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[“CVE-2026-9082″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:6.5,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:L\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2026\/05\/highly-critical-drupal-core-flaw.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-21T04:14:29″,”description”:”\\n\\nDrupal has released security updates for a \\”highly critical\\” security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,26,12,21,13,7,11,43,5],"class_list":["post-55984","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-65","tag-exploit","tag-medium","tag-news","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n