**Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks** Drupal maintainers disclosed a critical vulnerability in the Drupal core on May 20 that allows remote code execution on sites using PostgreSQL databases. The flaw received a CVSS score of 9.8 and affects versions 10.3.0 through 10.3.13, 10.4.0 through 10.4.3, and 11.0.0 through 11.0.2.
The weakness sits in the database abstraction layer and permits attackers to inject malicious SQL payloads that can lead to arbitrary code execution. Sites running MySQL or SQLite remain unaffected because the issue is tied specifically to PostgreSQL-specific query handling.
Key Details
The Drupal Security Team rated the vulnerability as critical and urged all users to update immediately. Administrators can apply the fix by upgrading to Drupal 10.3.14, 10.4.4, or 11.0.3, which contain patches addressing the SQL injection vector. No public exploits have been observed so far, but the high CVSS score indicates potential for automated attacks.
Background
This vulnerability follows a series of similar database-related issues reported in open-source CMS platforms in 2025. Drupal’s wide adoption in government and enterprise environments increases the potential scope of any successful attack. Supplier management processes in highly regulated sectors often rely on Drupal for compliance portals, making timely patching essential.
Recommended Actions
Site owners should verify their current Drupal version and apply the security update without delay. Organizations maintaining multiple sites can use the recommended rules for building secure applications to strengthen their update procedures. Experts advise reviewing server logs for suspicious PostgreSQL queries after patching.
What’s Next
The Drupal Security Team plans to release additional hardening guidance for PostgreSQL configurations within the next week. Administrators are encouraged to subscribe to official security announcements to receive notifications about further updates.
