Patch now! Attackers exploiting critical malicious code vulnerability in Drupal
Attackers are currently targeting websites created with the CMS Drupal. However, pages are only vulnerable if they use PostgreSQL.
(Image: solarseven/Shutterstock.com)
Drupal developers are warning of attacks on websites created with the Content Management System (CMS). Subsequently, attackers gain access to actually isolated data. However, they can also gain higher privileges or even execute malicious code remotely. Security updates are available for download.
Critical malicious code vulnerability
As can be seen from a message from the software manufacturer, which has now been updated with a warning about ongoing attacks, the security vulnerability (CVE-2026-9082) is classified with the threat level "critical". It exclusively affects websites that use PostgreSQL. If this is the case, attackers exploit the vulnerability with prepared SQL injection attacks. Attacks are said to be possible without authentication. The Drupal developers are not currently elaborating on how attacks proceed in detail. It is also currently unclear to what extent the attacks are occurring.
Videos by heise
The developers had already warned of possible attacks before the release of the security patch and prepared admins in a message for the release of the update.
Protect instances from attacks
Drupal versions for which support has expired are also affected by the vulnerability. However, due to the urgency, the developers have nevertheless released security updates. They state that they have equipped the following versions against ongoing attacks:
- Drupal 8.9
- Drupal 9.5
- Drupal 10.4.10
- Drupal 10.5.10
- Drupal 10.6.9
- Drupal 11.1.10
- Drupal 11.2.12
- Drupal 11.3.10
The developers point out that versions that are no longer supported will receive this security update, but they are still vulnerable to older security flaws. Therefore, web administrators should upgrade to a still-supported version.
(des)
