A maximum-severity vulnerability in Drupal has triggered emergency updates across the wider open-source PHP ecosystem, exposing risks tied to dependency-chain security and unpatched infrastructure.
Drupal administrators are rushing to deploy emergency patches after the disclosure of CVE-2026-9082, a maximum-severity SQL injection vulnerability affecting Drupal Core’s database abstraction API. The flaw can be exploited remotely by anonymous attackers using specially crafted requests, potentially enabling information disclosure, privilege escalation, remote code execution (RCE), database compromise, and sensitive data theft.
The issue has rapidly evolved into a broader open-source ecosystem security incident because it also triggered upstream security updates for Symfony and Twig. Twig has already released version 3.26.0, while Symfony issued multiple security advisories.
Although the vulnerability primarily affects Drupal sites using PostgreSQL databases, Drupal urged all administrators to patch immediately regardless of database type because the Symfony and Twig fixes impact broader environments.
Drupal warned that “exploits might be developed within hours or days,” urging administrators to update supported branches 11.3, 11.2, 10.6, and 10.5 immediately. Unsupported versions below 11.1.x, 11.0.x, and 10.4.x remain ineligible for official fixes, though best-effort patches for Drupal 9.5 and 8.9 are expected.
“That’s a nasty vulnerability. It’s about as bad as it sounds,” said Robert Enderle. Meanwhile, Fritz Jean-Louis warned, “As an industry, we’re running out of excuses” for persistent SQL injection flaws.
