Drupal: Critical SQL injection flaw now targeted in attacks
Drupal issued an urgent warning that hackers are actively exploiting a critical SQL injection vulnerability (CVE-2026-XXXX) disclosed earlier this week. The flaw, rated 9.8 out of 10 on the CVSS scale, affects Drupal 7, 8, 9, and 10 core. It allows unauthenticated attackers to execute arbitrary SQL queries, potentially leading to remote code execution, data theft, or complete site takeover. The vulnerability was patched in versions 7.101, 9.5.11, 10.0.11, and 10.1.6, released on May 20, 2026. Drupal's security team reported that exploit attempts have been detected in the wild, urging all site administrators to apply the update immediately. No workarounds are available; the only mitigation is upgrading to the patched versions. The advisory notes that sites using contributed modules may also be at risk if they rely on database abstraction layers. This is the second critical Drupal vulnerability exploited in attacks this year, following a similar SQL injection flaw in January.
Unpatched Drupal sites risk complete compromise via unauthenticated SQL injection.