Drupal articles

BRIEF

Drupal SQL Injection CVE-2026-9082: Patch Now

May 26, 2026Security

CVE-2026-9082 is an unauthenticated SQL injection in Drupal core affecting all PostgreSQL-backed installations from 8.9 through 11.3.9. CISA added it to the KEV catalog on May 22 — active exploitation confirmed.

HOT TAKE

Twig sandbox bypassed via a single quote in template name

May 23, 2026Security

CVE-2026-46633 in Twig lets a single quote in a template name inject arbitrary PHP into the cache file. Twig sandbox does not block it. Fixed in Twig 3.26.0.

Drupal

Articles tagged Drupal

Drupal SQL Injection CVE-2026-9082: Patch Now

Twig sandbox bypassed via a single quote in template name