As a result, Drupal urges admins using these applications to update them as well, whether or not the SQL injection vulnerability affects their systems. Helpfully, the Drupal fix issued today includes updates for both Symfony and Twig.
The vulnerability in Drupal’s core, CVE-2026-9082, is in a database abstraction API that ensures queries against the database are sanitized to prevent SQL injection attacks.
In its warning, Drupal said a vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and, in some cases, privilege escalation, remote code execution (RCE), or other attacks.
The vulnerability can be exploited by anonymous users.
