CVE-2026-9082

描述

Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks. This vulnerability can be exploited by anonymous users. This SQL injection vulnerability **only affects sites using PostgreSQL**. However, the third-party dependency updates in these releases apply to all sites. ### Updates **May 22 2026, 04:30 UTC:** The risk score has been updated to reflect that exploit attempts are now being detected in the wild. ### Upstream security advisories The Drupal releases for supported branches (11.3, 11.2, 10.6, and 10.5) in this advisory also include security updates for Symfony and Twig. Those projects have released important [Security Advisories](https://symfony.com/blog/category/security-advisories) that were coordinated with this Drupal release, and Drupal is affected by some of the vulnerabilities. Depending on your site configuration and contrib modules, you may be vulnerable to one or more of these upstream issues, so **updating these dependencies is highly recommended whether the SQL Injection vulnerability affects you or not**. It is also recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules.

受影響套件(1)

• Packagist/drupal/core>= 8.9.0, < 10.4.10 | >= 10.5.0, < 10.5.10 | >= 10.6.0, < 10.6.9 | >= 11.0.0, < 11.1.10 | >= 11.2.0, < 11.2.12 | >= 11.3.0, < 11.3.10

CVSS 分數

參考連結(1)

• WEBhttps://www.drupal.org/sa-core-2026-004