Drupal core shows critical flaw

Drupal published a highly critical core security advisory on May 20 covering supported branches of its content management system, and the project urged administrators to reserve time for immediate updates. The flaw is tracked in SA-CORE-2026-004 and is described by Drupal as an SQL injection issue in core. The project had warned two days earlier that exploits could appear within hours or days of disclosure. By May 22, Drupal updated the advisory to say exploit attempts were being detected in the wild. ### Which Drupal versions are affected right now? Drupal said the affected supported branches are 11.3, 11.2, 10.6 and 10.5. The advisory points users to patched releases in each supported line, and Drupal’s release pages describe those versions as security updates tied to SA-CORE-2026-004. Drupal’s security pages also make clear that Drupal 8 and Drupal 9 are end-of-life. That means organizations still running those versions would not be in the supported set for this advisory and would face a separate upgrade problem beyond this immediate patch cycle. (drupal.org) ### Why are administrators being told to move so fast? Drupal’s public service announcement on May 18 said the security team was urging users to reserve time during the release window because exploits “might be developed within hours or days.” That language is unusually direct and signaled that defenders should expect rapid weaponization after disclosure. (drupal.org) The advisory was then updated on May 22 at 04:30 UTC to reflect that exploit attempts were being detected in the wild. (drupal.org) That update changed the posture from precaution to active response for any unpatched site exposed to the internet. ### What kind of risk does an SQL injection flaw create for a Drupal site? Drupal classified SA-CORE-2026-004 as “Highly critical” with a risk score of 20 out of 25 in the advance notice. (drupal.org) The final advisory identifies the issue as SQL injection in core, which means an attacker may be able to interfere with database queries if the vulnerable conditions are present. For operators, that puts public-facing Drupal properties such as marketing sites, vendor portals and tenant-facing web applications in the urgent patch queue. (drupal.org) The practical exposure depends on how each site is configured, because Drupal said not all configurations are affected and mitigation details were included with the advisory. ### Is this only a Drupal bug, or are other components involved too? (drupal.org) Drupal said the security releases for supported branches also include coordinated security updates for Symfony and Twig. The project said Drupal is affected by some of the vulnerabilities disclosed upstream, and the release notes show Twig being updated as part of the security release. That means some administrators may need to treat this as both a core patching event and a dependency update review, especially on Composer-managed deployments where pinned versions and custom code can complicate maintenance windows. (drupal.org) That operational point is an inference from Drupal’s release notes and dependency references. ### Where should teams verify the fix and next steps? (drupal.org) Drupal’s official advisory page, SA-CORE-2026-004, is the primary source for affected branches, mitigations and updated risk information. Drupal’s release pages for the supported branches list the corresponding security releases and note that sites should update immediately after reviewing the security announcement. As of May 22, the next step for site owners is straightforward: check the branch they run, install the patched release listed by Drupal, and confirm whether any internet-facing Drupal properties remain unpatched after the advisory’s in-the-wild update. (drupal.org)