CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

PostgreSQL-targeting SQL injection in Drupal Core enables remote code execution

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

On May 22, 2026, Drupal confirmed active exploitation of CVE-2026-9082, a critical SQL injection vulnerability in Drupal Core’s database abstraction API that enables unauthenticated attackers to execute arbitrary SQL commands on PostgreSQL-backed sites. The flaw can lead to remote code execution, privilege escalation, or information disclosure without authentication. Patches have been issued for active Drupal branches (10.4–11.3) and manual fixes provided for end-of-life versions (8.9, 9.5). Drupal rated the risk internally as highly critical (23/25), though NIST assigned a CVSS v3 score of 6.5 (medium severity). Administrators are urged to update immediately, including those using non-PostgreSQL configurations due to upstream dependency fixes.

Timeline

  1. 21.05.2026 06:44 2 articles · 1d ago

    Critical SQL injection in Drupal Core’s PostgreSQL abstraction API patched across supported versions

    A critical SQL injection vulnerability in Drupal Core’s database abstraction API allows unauthenticated attackers to execute arbitrary SQL commands on PostgreSQL-backed Drupal installations. Patches have been issued for active Drupal branches (11.3, 11.2, 10.6, 10.5) and manual fixes provided for end-of-life versions (9.5, 8.9). Drupal 7 and lower branches are unaffected. Immediate updates are required to prevent potential remote code execution and privilege escalation. On May 22, 2026, Drupal confirmed active exploitation attempts in the wild, prompting an updated risk score of 23/25. Discovery was attributed to Google/Mandiant researcher Michael Maturi. NIST assigned a CVSS v3 score of 6.5 (medium severity), though Drupal’s internal rating remains higher. Drupal reiterated the need for immediate updates even for non-PostgreSQL sites due to upstream dependency fixes included in the advisory.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Unauthenticated Privilege Escalation in WordPress Modular DS Plugin Exploited in the Wild

A critical vulnerability (CVE-2026-23550, CVSS 10.0) in the WordPress Modular DS plugin, affecting versions up to 2.5.1, is being actively exploited to gain admin access. The flaw allows unauthenticated attackers to bypass authentication and escalate privileges, potentially leading to full site compromise. The issue stems from a combination of design choices, including permissive direct request handling and weak authentication mechanisms. The vulnerability was patched in version 2.5.2, and attacks were first detected on January 13, 2026, originating from specific IP addresses. The Modular DS plugin has over 40,000 installations. Users are urged to update immediately to mitigate the risk.

Open in new tab

Active Exploitation of Multiple Critical Vulnerabilities in Gladinet and TrioFox

Active exploitation of critical vulnerabilities in Gladinet's CentreStack and Triofox products continues. The zero-day vulnerability, CVE-2025-11371, is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. This flaw affects all versions prior to and including 16.7.10368.56560. The vulnerability has been exploited to retrieve the machine key from the application Web.config file, enabling remote code execution via a ViewState deserialization vulnerability. Three customers have been impacted so far. A patch for the zero-day vulnerability CVE-2025-11371 is now available in CentreStack version 16.10.10408.56683. Users are advised to upgrade to this version or, if upgrading is not possible, disable the "temp" handler within the Web.config file for UploadDownloadProxy to mitigate the risk. The vendor, Gladinet, has been notified and is working on a fix. The vulnerability was detected by researchers at Huntress on September 27, 2025. The flaw was exploited to obtain a machine key and execute code remotely. The attack used an older deserialization vulnerability (CVE-2025-30406) to achieve remote code execution (RCE) through ViewState. The mitigations will impact some functionality of the platform but prevent exploitation of CVE-2025-11371. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-11371 to its Known Exploited Vulnerabilities (KEV) catalog on November 5, 2025, citing evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by November 25, 2025, to secure their networks. Additionally, a new critical vulnerability, CVE-2025-12480 (CVSS score: 9.8), has been discovered in Gladinet's Triofox file-sharing and remote access platform. This flaw allows attackers to bypass authentication and access configuration pages, resulting in the upload and execution of arbitrary payloads. The threat cluster tracked as UNC6485 has been exploiting this flaw since August 24, 2025. The attackers have used the built-in antivirus feature to execute malicious files and set up encrypted tunnels to command-and-control servers, leveraging remote access tools like Zoho Assist and AnyDesk for further exploitation. The vulnerability CVE-2025-12480 was discovered and reported by Mandiant on November 10. The flaw allows an attacker to gain access to initial setup pages even after setup is complete, enabling the upload and execution of arbitrary payloads. The exploitation campaign started on August 14, 2025. The attackers exploited an HTTP Host header vulnerability by spoofing localhost in requests, bypassing access controls to reach the normally restricted AdminDatabase.aspx setup page. The flaw stemmed from missing origin validation and over-reliance on the host header, allowing unauthenticated remote access to critical configuration pages. The attackers logged in using the newly created Admin account and uploaded malicious files to execute them using the built-in anti-virus feature. A new actively exploited vulnerability in Gladinet's CentreStack and Triofox products has been disclosed, stemming from the use of hard-coded cryptographic keys. This flaw affects nine organizations so far. The use of hard-coded cryptographic keys could allow threat actors to decrypt or forge access tickets, enabling them to access sensitive files like web.config that can be exploited to achieve ViewState deserialization and remote code execution. The attacks involve specially crafted URL requests to the "/storage/filesvr.dn" endpoint, with the Username and Password fields left blank, causing the application to fall back to the IIS Application Pool Identity. The timestamp field in the access ticket is set to 9999, creating a ticket that never expires, allowing threat actors to reuse the URL indefinitely to download the server configuration. Organizations using CentreStack and Triofox are advised to update to the latest version, 16.12.10420.56791, released on December 8, 2025, and scan logs for the presence of the string "vghpI7EToZUDIZDdprSubL3mTZ2," which is the encrypted representation of the web.config file path. In the event of indicators of compromise (IoCs), it is imperative to rotate the machine key by generating new keys in the IIS Manager and restarting IIS after repeating the same step for all worker nodes.

Open in new tab

Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched

The critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere MFT has been actively exploited by the cybercrime group Storm-1175 in Medusa ransomware attacks since at least September 11, 2025. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. Fortra has released patches in versions 7.8.4 and 7.6.3. The vulnerability was disclosed on September 18, 2025, but exploitation began a week earlier. The Shadowserver Foundation is monitoring over 513 GoAnywhere MFT instances exposed online, although the number of patched instances is unknown. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability enables an attacker to bypass signature verification by crafting a forged license response signature, allowing the deserialization of arbitrary, attacker-controlled objects. Successful exploitation could result in command injection and potential remote code execution (RCE) on the affected system. The threat actor used legitimate remote monitoring and management (RMM) tools SimpleHelp and MeshAgent to launch binaries following exploitation. The threat actor utilized RMM tools to establish command-and-control (C2) infrastructure and set up a Cloudflare tunnel for secure C2 communication. The deployment and execution of Rclone was observed in at least one victim environment during the exfiltration stage. Medusa ransomware has over 300 global victims in critical infrastructure sectors, including a confirmed attack on a US healthcare organization in early 2025. Fortra began investigating the vulnerability on September 11, 2025, following a customer report. Fortra contacted on-premises customers with publicly accessible admin consoles and notified law enforcement on September 11, 2025. A hotfix for versions 7.6.x, 7.7.x, and 7.8.x was released on September 12, 2025. Full patches for versions 7.6.3 and 7.8.4 were released on September 15, 2025. The CVE for the vulnerability was formally published on September 18, 2025. Fortra confirmed a limited number of reports of unauthorized activity related to CVE-2025-10035. Fortra recommends restricting admin console access over the internet and enabling monitoring. watchTowr CEO and founder Benjamin Harris reiterated the need for transparency from Fortra regarding the private keys used in the exploit.

Open in new tab