CVE-2026-9082

Name of the Vulnerable Software and Affected Versions Drupal core versions 8.9.0 through 10.4.9 Drupal core versions 10.5.0 through 10.5.9 Drupal core versions 10.6.0 through 10.6.8 Drupal core versions 11.0.0 through 11.1.9 Drupal core versions 11.2.0 through 11.2.11 Drupal core versions 11.3.0 through 11.3.9

Description An issue in the database abstraction API allows anonymous attackers to send specially crafted requests to execute arbitrary SQL injection on sites using PostgreSQL databases. This can lead to information disclosure and potentially result in privilege escalation or remote code execution.

Recommendations Update to version 10.4.10 or later for versions 8.9.0 through 10.4.9. Update to version 10.5.10 or later for versions 10.5.0 through 10.5.9. Update to version 10.6.9 or later for versions 10.6.0 through 10.6.8. Update to version 11.1.10 or later for versions 11.0.0 through 11.1.9. Update to version 11.2.12 or later for versions 11.2.0 through 11.2.11. Update to version 11.3.10 or later for versions 11.3.0 through 11.3.9.