Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN529
_____________________________________________________________________

DATE                : 21/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Drupal core versions prior to
                          11.3.10, 11.2.12, 11.1.10, 10.6.9,
                                 10.5.10, 10.4.10.

=====================================================================
https://www.drupal.org/sa-core-2026-004
_____________________________________________________________________

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Project: Drupal core

Date: 2026-May-20

Security risk: 
Highly critical 20 ∕ 25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon

Vulnerability: SQL injection

Affected versions: 
>= 8.9.0 < 10.4.10 || >= 10.5.0 < 10.5.10 || >= 10.6.0 < 10.6.9 || 
>= 11.0.0 < 11.1.10 || >= 11.2.0 < 11.2.12 || >= 11.3.0 < 11.3.10

CVE IDs: CVE-2026-9082
Description: 

Drupal core includes a database abstraction API to ensure that queries
executed against the database are sanitized to prevent SQL injection
attacks.

A vulnerability in this API allows an attacker to send specially
crafted requests, resulting in arbitrary SQL injection for sites
using PostgreSQL databases. This can lead to information disclosure,
and in some cases privilege escalation, remote code execution, or
other attacks.

This vulnerability can be exploited by anonymous users.

This SQL injection vulnerability only affects sites using PostgreSQL.
However, the third-party dependency updates in these releases apply
to all sites.


Upstream security advisories

The Drupal releases for supported branches (11.3, 11.2, 10.6, and
10.5) in this advisory also include security updates for Symfony and
Twig. Those projects have released important Security Advisories
that were coordinated with this Drupal release, and Drupal is
affected by some of the vulnerabilities.

Depending on your site configuration and contrib modules, you may
be vulnerable to one or more of these upstream issues, so updating
these dependencies is highly recommended whether the SQL Injection
vulnerability affects you or not. It is also recommended to review
which user roles have the ability to update Twig templates, for
example via Views or contributed modules.


Solution: 

Install the latest version.

The following releases will be available as soon as automated
release packaging is complete. You may receive a 404 in the
interim. The updates may also be available on Packagist
sooner.


Drupal 11

    If you use Drupal 11.3.x, update to Drupal 11.3.10.
    If you use Drupal 11.2.x, update to Drupal 11.2.12.
    If you use Drupal 11.1.x or 11.0.x, update to Drupal 11.1.10.

Drupal 10

    If you use Drupal 10.6.x, update to Drupal 10.6.9.
    If you use Drupal 10.5.x, update to Drupal 10.5.10.
    If you use Drupal 10.4.x or earlier, update to Drupal 10.4.10.

Drupal 9 and 8

    If you use any version of Drupal 9, try manually applying
the Drupal 9.5 patch for this issue.

    If you use Drupal 8.9, try manually applying the Drupal
8.9 patch for this issue.

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are
end-of-life and do not receive security coverage. (Drupal 8
and Drupal 9 have both reached end-of-life.) Due to this
issue's severity, the unsupported releases and patches for
unsupported versions are provided as a best effort. Those
unsupported versions will still have other, previously
disclosed security vulnerabilities.


Reported By: 

    Michael Maturi (michaelmaturi) 


Fixed By: 

    Björn Brala (bbrala)
    Benji Fisher (benjifisher) of the Drupal Security Team
    catch (catch) of the Drupal Security Team
    Lee Rowlands (larowlan) of the Drupal Security Team
    Dave Long (longwave) of the Drupal Security Team
    Drew Webber (mcdruid) of the Drupal Security Team
    Jess (xjm) of the Drupal Security Team 

Coordinated By: 

    Anna Kalata (akalata) of the Drupal Security Team
    Benji Fisher (benjifisher) of the Drupal Security Team
    catch (catch) of the Drupal Security Team
    Damien McKenna (damienmckenna) of the Drupal Security Team
    Neil Drumm (drumm) of the Drupal Security Team
    Greg Knaddison (greggles) of the Drupal Security Team
    Heine Deelstra (heine) of the Drupal Security Team
    Tim Hestenes Lehnen (hestenet)
    Dave Long (longwave) of the Drupal Security Team
    Drew Webber (mcdruid) of the Drupal Security Team
    Juraj Nemec (poker10) of the Drupal Security Team
    Pierre Rudloff (prudloff) of the Drupal Security Team
    quietone (quietone)
    Jess (xjm) of the Drupal Security Team
    Cathy Theys (yesct) of the Drupal Security Team 


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================