SA-CORE-2026-004: SQL Injection

Published May 20, 2026
·
Updated

Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks. This vulnerability can be exploited by anonymous users. This SQL injection vulnerability only affects sites using PostgreSQL. However, the third-party dependency updates in these releases apply to all sites. Updates May 22 2026, 04:30 UTC: The risk score has been updated to reflect that exploit attempts are now being detected in the wild. Upstream security advisories The Drupal releases for supported branches (11.3, 11.2, 10.6, and 10.5) in this advisory also include security updates for Symfony and Twig. Those projects have released important Security Advisories that were coordinated with this Drupal release, and Drupal is affected by some of the vulnerabilities. Depending on your site configuration and contrib modules, you may be vulnerable to one or more of these upstream issues, so updating these dependencies is highly recommended whether the SQL Injection vulnerability affects you or not. It is also recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules.

Credit

Michael Maturi (michaelmaturi)

Affected Software

1 affected componentFixes available
Drupal Drupal<11.3.10, <11.2.12, <11.1.10, <10.6.9, <10.5.10, <10.4.10
11.3.1011.2.1211.1.1010.6.910.5.1010.4.10

Event History

May 20, 2026
Advisory Published
via Drupal·12:00 AM
Data Sourced
via Drupal·12:00 AM
DescriptionSeverityAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of SA-CORE-2026-004?

The severity of SA-CORE-2026-004 is rated as critical with a score of 9.

2

How do I fix SA-CORE-2026-004?

To fix SA-CORE-2026-004, you need to update your Drupal installation to the latest version that addresses this vulnerability.

3

What is the main issue in SA-CORE-2026-004?

SA-CORE-2026-004 addresses a SQL injection vulnerability in Drupal's database abstraction API specifically affecting PostgreSQL.

4

Which versions of Drupal are affected by SA-CORE-2026-004?

SA-CORE-2026-004 affects all supported versions of Drupal that use PostgreSQL, along with any installations that have not been updated.

5

What can an attacker do with SA-CORE-2026-004?

An attacker can exploit SA-CORE-2026-004 to execute arbitrary SQL queries against the database, potentially compromising site data.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203