github.com/ghostwriter

TL;DR: Drupal core security releases for all supported branches are scheduled for May 20, 2026 between 17:00-21:00 UTC.

Clear your calendar and patch immediately, because exploits will probably drop within hours.

Affected/Supported versions:

10.5.x, 10.6.x, 11.2.x, 11.3.x

Follow @drupalsecurity for more details.

PSA: https://www.drupal.org/psa-2026-05-18

#Drupal #PHP

Upcoming highly critical release on May 20, 2026 - PSA-2026-05-18

There will be a Drupal core security release for all supported branches on May 20, 2026, between 17:00 and 21:00 UTC. (To see this in your local timezone, refer to the Drupal Core Calendar.) The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days. Not all configurations are affected. Reserve time

Drupal.org
May 19 at 4:11pmWeb
Show threadgithub.com/ghostwriter1d ago

Patch immediately before public exploits emerge.

https://www.drupal.org/sa-core-2026-004

Affected:

- 8.9.0 , < 10.4.10
- 10.5.0 , < 10.5.10
- 10.6.0 , < 10.6.9
- 11.0.0 , < 11.1.10
- 11.2.0 , < 11.2.12
- 11.3.0 , < 11.3.10

CVE-2026-9082 - Highly critical - SQL Injection
CVE-2026-8495 - Missing Authorization
CVE-2026-8493 - XSS
CVE-2026-8492
CVE-2026-8491

#Drupal #PHP #CyberSecurity #Infosec #CVE #WebSecurity #PostgreSQL #SqlInjection #PrivilegeEscalation #XSS

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege

Drupal.org