- 147/2026
- Critical
Drupal has released security updates to address several vulnerabilities affecting multiple Drupal products.
The addressed vulnerabilities could allow the attacker to conduct cross-site scripting attacks, obtain sensitive information, escalate privileges, manipulate data, execute arbitrary SQL commands, and gain access to the affected products.
Samples of the addressed vulnerabilities:
1. Drupal Date iCal Information Disclosure Vulnerability (CVE-2026-8495):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Obtain Information
2. Drupal Core SQL Injection Vulnerability (CVE-2026-9082):
- CVSS: 6.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
The affected products:
- Drupal core.
- Drupal Date iCal.
- Drupal Colorbox Inline.
- Translate Drupal with GTranslate.
- Drupal Node View Permissions.
Vulnerabilities
- CVE-2026-8491
- CVE-2026-8492
- CVE-2026-8493
- CVE-2026-8495
- CVE-2026-9082
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.