High Threat Security Alert (A26-05-42): Vulnerability in Drupal Products

Description:

Drupal published a security advisory to address a vulnerability in several Drupal products. The details of security update can be found at:
https://www.drupal.org/sa-core-2026-004

Reports indicated that a remote code execution, elevation of privilege and information disclosure vulnerability (CVE-2026-9082) is being exploited in the wild. System administrators are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks.

 

Affected Systems:

• Drupal version 11.0.0 and later, prior to 11.1.10
• Drupal version 11.2.0 and later, prior to 11.2.12
• Drupal version 11.3.0 and later, prior to 11.3.10
• Drupal version 10.5.0 and later, prior to 10.5.10
• Drupal version 10.6.0 and later, prior to 10.6.9
• Drupal version 8.9.0 through 10.4.9

For detailed information of the affected systems, please refer to the corresponding security advisories at vendor's website.

 

Impact:

Successful exploitation of the vulnerability could lead to remote code execution, elevation of privilege and information disclosure on an affected system.

 

Recommendation:

Patches for affected systems are now available. System administrators of affected systems should follow the recommendations provided by the vendor and take immediate actions to mitigate the risk.

Drupal 10.4.10
https://www.drupal.org/project/drupal/releases/10.4.10
Drupal 10.5.10
https://www.drupal.org/project/drupal/releases/10.5.10
Drupal 10.6.9
https://www.drupal.org/project/drupal/releases/10.6.9
Drupal 11.1.10
https://www.drupal.org/project/drupal/releases/11.1.10
Drupal 11.2.12
https://www.drupal.org/project/drupal/releases/11.2.12
Drupal 11.3.10
https://www.drupal.org/project/drupal/releases/11.3.10

 

More Information:

• https://www.drupal.org/sa-core-2026-004
• https://www.hkcert.org/security-bulletin/drupal-remote-code-execution-vulnerability_20260521
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9082