Drupal issues emergency patch for critical SQL injection
🚨Drupal administrators must apply an emergency core update to address a “highly critical” SQL injection defect (CVE-2026-9082) that affects sites using PostgreSQL. The release also bundles upstream fixes for Symfony and Twig, so Drupal urges updates even for non-Postgres deployments. Supported branches 11.3, 11.2, 10.6 and 10.5 are patched, while end-of-life versions may receive unsupported best-effort patches. The flaw permits anonymous attackers to send crafted requests resulting in arbitrary SQL injection, information disclosure, and potential privilege escalation or remote code execution.
