Josselin HANEL.
FR EN DE
Eco Mode
Eco Mode on — An alternative version of the site, optimised for slow connections and on-the-go browsing.
← Back to blog

Drupal: when your town hall's website becomes an open door

securite, eco-conception, web

Last week, a major security vulnerability was discovered in Drupal, the software powering thousands of French public websites. Universities, town halls, government agencies. And barely anyone is talking about it.

What is Drupal?

It's the software installed "behind" a website to manage its content. A bit like WordPress, but one that French public administrations have favoured for years.

The problem with these tools: they're complex, they require regular updates, and when a vulnerability is discovered, it's often exploited before teams have had time to react. That's exactly what's happening right now.

The flaw, explained plainly

One important note: the flaw doesn't affect every Drupal site, only those using PostgreSQL as their database. The irony is that PostgreSQL is actually one of the most solid databases out there — it's not the culprit here. It's Drupal that handles the data it sends poorly. PostgreSQL, for its part, does exactly what it's told.

A hacker can access those databases without a password, without an account, without anything. Just by sending a malformed request to the right place.

More than 15,000 attack attempts have been documented within a few days across thousands of sites worldwide. French sites (universities, local authorities, .gouv.fr) are among the potential targets.

The real problem

This vulnerability will be patched. But in two years, there will be another one. That's the nature of these systems: the more complex they are, the larger the attack surface.

The question few people ask: does a town hall or a community organisation really need such a heavy tool?

A website that publishes opening hours, news, and a contact form can be built differently. Simpler, lighter, with no database exposed to the internet. Less risk, less maintenance, lower costs.

It's not magic. But it's an approach that exists, and one that makes sense for many public or non-profit organisations.

If you manage a Drupal site: update it now (advisory SA-CORE-2026-004). If you're questioning your online setup, this might be a good moment to do so.

Sources: Official Drupal advisorySecurityWeekThe Hacker NewsTenableBleepingComputer

Related articles

EmDash: Cloudflare validates my technical choices, but doesn't go far enough

Cloudflare just launched a CMS competing with WordPress, built on Astro — exactly the technology I use. It validates some choices. It doesn't fix everything.

BrowserGate: LinkedIn secretly scans your browser extensions

LinkedIn injects a 2.7MB script that detects 6,000 extensions installed in your browser and collects your hardware data. Without telling you.

Have a project in mind?

Feel free to contact me for a free quote with no obligation.

Let's talk

+33 7 81 33 97 68

josshanel@gmail.com