<div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:small" class="gmail_default">The fix is out.</div><div style="font-size:small" class="gmail_default">It is in the database abstraction layer, SQL injection, and can be exploited by anonymous users (non logged in users in Drupal's lingo).</div><div style="font-size:small" class="gmail_default">Affects PostgreSQL mainly.</div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default">(Side note: I've only encountered a single Drupal site running PostgreSQL in the past 20 years).</div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default">But there are also upstream fixes to Symfony ...etc., so the fix must be applied regardless.</div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default"><a href="https://www.drupal.org/sa-core-2026-004" target="_blank">https://www.drupal.org/sa-core-2026-004</a></div></div>
</div>
</div>