Drupal has published SA-CORE-2026-004, a highly critical Drupal core security advisory for a SQL injection vulnerability in Drupal core.

The vulnerability is tracked as CVE-2026-9082 and has been rated Highly critical, 20/25 by the Drupal Security Team. The primary issue affects Drupal sites using PostgreSQL databases. Drupal states that the vulnerability may be exploitable by anonymous users and could allow arbitrary SQL injection, potentially leading to information disclosure, privilege escalation, remote code execution, or other attacks.

Drupal has also included coordinated upstream dependency security updates for Symfony and Twig in the supported Drupal core releases. Because of those dependency updates, Drupal recommends updating even for sites that are not using PostgreSQL.

Reliable Penguin does not perform Drupal application updates. Drupal site owners and administrators should review their own Drupal installations, determine whether their sites are affected, and take appropriate action based on Drupal’s official advisory.

Affected Drupal versions include Drupal core versions from 8.9.0 through versions before 10.4.10, 10.5.x before 10.5.10, 10.6.x before 10.6.9, 11.0.x before 11.1.10, 11.2.x before 11.2.12, and 11.3.x before 11.3.10. Drupal recommends updating to the latest available release for your supported branch.

Site owners should apply updates promptly and review which user roles have permission to update Twig templates, such as through Views or contributed modules.

Read the official Drupal security advisory:
https://www.drupal.org/sa-core-2026-004

For urgent questions, please contact Reliable Penguin support.

Drupal has announced an upcoming highly critical Drupal core security release scheduled for Wednesday, May 20, 2026, between 1:00 PM and 5:00 PM EDT.

Reliable Penguin is monitoring the release window and will review the advisory as soon as Drupal publishes the update. If any hosted or managed Drupal sites are affected, we will prioritize applying the required security updates and mitigation steps.

Drupal has indicated that not all configurations may be affected, but site owners should reserve time during the release window to evaluate and apply updates promptly. Exploit details may become available within hours or days after disclosure.

Read the official Drupal security release notice

For urgent questions, please contact Reliable Penguin support.

Update: May 20, 2026

cPanel has released the security patches for this notice ahead of the originally scheduled release time. The patched builds are now available for affected versions of cPanel & WHM.

This release addresses multiple security issues, including vulnerabilities rated up to High severity. cPanel has identified the following items as addressed in this release:

• SEC-73728: cPanel & WHM / WP2 Security Update May 19, 2026
• SEC-73755: cPanel & WHM / WP2 Security Update May 19, 2026
• LiteSpeed User-End cPanel Plugin: A privilege-escalation vulnerability allowing unauthorized root access. cPanel has stated this issue is actively being exploited in the wild. As an interim security measure, cPanel has included an automated fix in this release that removes the plugin. Read the cPanel LiteSpeed plugin security notice .

Minimum Patched Builds

Servers should be updated to the appropriate patched build or later:

Reliable Penguin Response

Reliable Penguin is applying the available cPanel & WHM security updates across managed client servers. We strongly recommend that any affected servers not managed by Reliable Penguin be updated manually as soon as possible.

For servers managed by Reliable Penguin, no customer action is required unless we contact you directly regarding a maintenance window or special update requirement.

Where a manual update is required, the update can be applied with:

/scripts/upcp

Note for CentOS 6 or CloudLinux 6 systems: cPanel advises updating to the cl6110 branch, version 11.110.0.120, before manually updating.

We will continue monitoring this issue and will take any additional remediation steps as needed.

May 18, 2026

Reliable Penguin has been notified by cPanel that a cPanel & WHM security patch is expected to be released on Wednesday, May 20, 2026 at 8:00 AM Eastern Time.

According to cPanel, this release will address multiple vulnerabilities across several versions of cPanel & WHM, including vulnerabilities rated up to High severity.

cPanel has stated that there are currently no known exploits or proof-of-concept code in the wild. Technical details are expected to be released alongside the patches.

Affected Versions

The following cPanel & WHM versions are expected to be impacted:

• 86
• 94
• 102
• 110
• 110 (CL6)
• 118
• 124
• 126
• 130
• 132
• 134
• 136
• 136 (WP2)

Reliable Penguin Response

Reliable Penguin is reviewing managed cPanel & WHM servers for affected versions and will apply the security update once it becomes available.

For servers managed by Reliable Penguin, no customer action is required at this time unless we contact you directly regarding a maintenance window or special update requirements.

Next Steps

We will continue monitoring the release and will provide an update once the patch is available and remediation work is underway.

Reliable Penguin is launching the RP News mailing list, a dedicated way for clients to stay informed about important updates from our team.

We encourage all Reliable Penguin clients to join the list so they can receive timely notices about:

• Important security updates
• Operational notices and service-related announcements
• New Reliable Penguin product offerings
• Opportunities, events, and other updates from our team

Our goal is to make sure clients have a clear and reliable way to hear about information that may affect their websites, hosting, infrastructure, support, or services with Reliable Penguin.

Why join?

RP News will help you stay ahead of important changes and opportunities. Some updates may be informational, while others may include security or operational details that are important for your organization to review.

By joining the mailing list, you can make sure the right people on your team receive these updates directly.

Who should subscribe?

We recommend that each client organization have at least one primary contact subscribed. Depending on your team, you may also want to include:

• Website administrators
• IT or security contacts
• Operations managers
• Marketing or communications contacts
• Anyone responsible for Reliable Penguin services within your organization

Join the RP News list

Please use the signup form below to subscribe to the RP News mailing list and stay informed about Reliable Penguin updates, important notices, new offerings, and opportunities.

If you are unsure who from your organization should be subscribed, please contact Reliable Penguin support and we will be happy to help.

Update - May 18, 2026

Plesk has released Plesk Obsidian 18.0.78 Update 1, which includes security improvements and updates nginx and the sw-cp-server service to version 1.30.1 on Linux systems. Reliable Penguin is in the process of installing this update across all managed client servers. 

No customer action is required at this time. We will continue monitoring the rollout and will take any additional remediation steps as needed.

Reference: https://docs.plesk.com/release-notes/obsidian/change-log/

May 15, 2026

Reliable Penguin is aware of CVE-2026-42945, a vulnerability affecting certain nginx versions prior to 1.31.1 and 1.30.1. The issue may allow denial of service in affected configurations, and remote code execution may be possible in limited circumstances.

This vulnerability may affect some Plesk-managed Linux systems depending on the installed nginx version and rewrite-rule configuration.

Reliable Penguin is actively reviewing managed systems for exposure to this issue. Our response includes checking nginx versions, reviewing potentially affected rewrite rules, confirming relevant system protections where applicable, and applying vendor-recommended mitigations or updates.

Reliable Penguin now follows an update-and-notify security maintenance model for managed systems. Under this policy, automatic security updates are enabled by default, and critical or high-priority security updates may be applied as soon as practical rather than waiting for a scheduled maintenance window. Clients are notified after updates that require or result in a system reboot, while routine service restarts generally do not trigger separate notifications.

For this nginx vulnerability, Reliable Penguin may apply mitigations or vendor patches without prior client approval when delaying action would create unnecessary security risk. No system reboots are required for the currently recommended mitigations or expected update. A brief nginx service restart or reload may occur as part of mitigation or patching, but this is considered routine security maintenance and will not typically trigger a separate notification.

Customers do not need to take action unless they manage their own nginx, Plesk, or server configuration outside of Reliable Penguin’s managed services. Customers with self-managed systems should review vendor guidance, confirm whether affected nginx versions and rewrite rules are present, and apply the recommended update or mitigation.

We will continue monitoring vendor guidance and will update this notice as new information becomes available.

Reference: Plesk advisory for CVE-2026-42945