Skip to content

Commit 38292e9

Browse files
DrupalSecurityBotgithub-actions[bot]
DrupalSecurityBot
and
github-actions[bot]
authored
feat: update advisories (#217)
🤖 beep boop - looks like there's some changes to the advisories! - https://www.drupal.org/SA-CORE-2026-004 Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
1 parent 75edc5a commit 38292e9

1 file changed

Lines changed: 122 additions & 0 deletions

File tree

advisories/core/DRUPAL-CORE-2026-004.json

Lines changed: 122 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,122 @@
1+
{
2+
"schema_version": "1.7.0",
3+
"id": "DRUPAL-CORE-2026-004",
4+
"modified": "2026-05-20T18:08:21.000Z",
5+
"published": "2026-05-20T18:08:21.000Z",
6+
"aliases": [
7+
"CVE-2026-9082"
8+
],
9+
"details": "Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.\n\nA vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.\n\nThis vulnerability can be exploited by anonymous users.\n\nThis vulnerability **only affects sites using PostgreSQL**. However, the dependency updates in this release apply to all sites.\n\n### Upstream security advisories\n\nThe Drupal releases for supported branches (11.3, 11.2, 10.6, and 10.5) in this advisory also include security updates for Symfony and Twig. Those projects have released important [Security Advisories](https://symfony.com/blog/category/security-advisories) that were coordinated with this Drupal release, and Drupal is affected by some of the vulnerabilities.\n\nDepending on your site configuration and contrib modules, you may be vulnerable to one or more of these upstream issues, so **updating these dependencies is highly recommended whether the SQL Injection vulnerability affects you or not**. It is also recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules.",
10+
"affected": [
11+
{
12+
"package": {
13+
"ecosystem": "Packagist",
14+
"name": "drupal/core"
15+
},
16+
"severity": [],
17+
"ranges": [
18+
{
19+
"type": "ECOSYSTEM",
20+
"events": [
21+
{
22+
"introduced": "8.9.0"
23+
},
24+
{
25+
"fixed": "10.4.10"
26+
}
27+
],
28+
"database_specific": {
29+
"constraint": ">= 8.9.0 < 10.4.10"
30+
}
31+
},
32+
{
33+
"type": "ECOSYSTEM",
34+
"events": [
35+
{
36+
"introduced": "10.5.0"
37+
},
38+
{
39+
"fixed": "10.5.10"
40+
}
41+
],
42+
"database_specific": {
43+
"constraint": ">= 10.5.0 < 10.5.10"
44+
}
45+
},
46+
{
47+
"type": "ECOSYSTEM",
48+
"events": [
49+
{
50+
"introduced": "10.6.0"
51+
},
52+
{
53+
"fixed": "10.6.9"
54+
}
55+
],
56+
"database_specific": {
57+
"constraint": ">= 10.6.0 < 10.6.9"
58+
}
59+
},
60+
{
61+
"type": "ECOSYSTEM",
62+
"events": [
63+
{
64+
"introduced": "11.0.0"
65+
},
66+
{
67+
"fixed": "11.1.10"
68+
}
69+
],
70+
"database_specific": {
71+
"constraint": ">= 11.0.0 < 11.1.10"
72+
}
73+
},
74+
{
75+
"type": "ECOSYSTEM",
76+
"events": [
77+
{
78+
"introduced": "11.2.0"
79+
},
80+
{
81+
"fixed": "11.2.12"
82+
}
83+
],
84+
"database_specific": {
85+
"constraint": ">= 11.2.0 < 11.2.12"
86+
}
87+
},
88+
{
89+
"type": "ECOSYSTEM",
90+
"events": [
91+
{
92+
"introduced": "11.3.0"
93+
},
94+
{
95+
"fixed": "11.3.10"
96+
}
97+
],
98+
"database_specific": {
99+
"constraint": ">= 11.3.0 < 11.3.10"
100+
}
101+
}
102+
],
103+
"database_specific": {
104+
"affected_versions": ">= 8.9.0 < 10.4.10 || >= 10.5.0 < 10.5.10 || >= 10.6.0 < 10.6.9 || >= 11.0.0 < 11.1.10 || >= 11.2.0 < 11.2.12 || >= 11.3.0 < 11.3.10"
105+
}
106+
}
107+
],
108+
"references": [
109+
{
110+
"type": "WEB",
111+
"url": "https://www.drupal.org/sa-core-2026-004"
112+
}
113+
],
114+
"credits": [
115+
{
116+
"name": "Michael Maturi (michaelmaturi)",
117+
"contact": [
118+
"https://www.drupal.org/u/michaelmaturi"
119+
]
120+
}
121+
]
122+
}

0 commit comments

Comments
 (0)