### Drupal Core Vulnerability: CVE-2026-9082 A "highly critical" security vulnerability has been discovered in **Drupal** Core, prompting the release of immediate security patches. The vulnerability, tracked as **CVE-2026-9082**, poses significant risks, including remote code execution (RCE), privilege escalation, and information disclosure. The vulnerability has a CVSS score of 6.5 out of 10.0. According to **Drupal**, the flaw resides within a database abstraction API used to validate queries and prevent SQL injection attacks. ### Technical Details "A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using **PostgreSQL** databases," **Drupal** stated in its advisory. Successful exploitation could lead to: * Information disclosure * Privilege escalation * Remote code execution ### Affected Versions and Mitigation The vulnerability can be exploited by anonymous users and specifically impacts sites utilizing **PostgreSQL**. The following versions contain the necessary fixes: * Drupal 11.3.10 * Drupal 11.2.12 * Drupal 11.1.10 * Drupal 10.6.9 * Drupal 10.5.10 * Drupal 10.4.10 **Drupal** 7 is not affected by this vulnerability. The updated releases for supported branches (versions 11.3, 11.2, 10.6, and 10.5) also incorporate upstream security updates for **Symfony** and **Twig**, emphasizing the importance of installing the latest versions. ### End-of-Life Versions Manual patches have been released for **Drupal** versions 9 and 8, which have reached their end-of-life (EOL): * Drupal 9.5 * Drupal 8.9 **Drupal** has cautioned that versions 11.1.x, 11.0.x, 10.4.x, and below are EOL and will not receive security coverage. While patches for unsupported versions are provided as a best effort, these versions may still be vulnerable to previously disclosed security flaws.