The following Python script is provided to scan, verify, or query the system telemetry:
#!/usr/bin/env python3
import json
import os
import re
import sys
from pathlib import Path
ROOT = Path(os.environ.get("ROOT", sys.argv[1] if len(sys.argv) > 1 else ".")).resolve()
OUT = Path(os.environ.get("OUT", "hp-drupal-cve-2026-9082-closure")).resolve()
CVE = "CVE-2026-9082"
FIXED = ["10.4.10", "10.5.10", "10.6.9", "11.1.10", "11.2.12", "11.3.10"]
SOURCE = "https://www.drupal.org/sa-core-2026-004"
def vt(value):
return tuple(int(x) for x in re.findall(r"\d+", str(value))[:4])
def lt(left, right):
l, r = vt(left), vt(right)
width = max(len(l), len(r), 1)
return l + (0,) * (width - len(l)) < r + (0,) * (width - len(r))
def ge(left, right):
return not lt(left, right)
def fixed_or_unaffected(version):
if version.startswith("7."):
return True
affected_ranges = [
("8.9.0", "10.4.10"),
("10.5.0", "10.5.10"),
("10.6.0", "10.6.9"),
("11.0.0", "11.1.10"),
("11.2.0", "11.2.12"),
("11.3.0", "11.3.10"),
]
return not any(ge(version, start) and lt(version, end) for start, end in affected_ranges)
OUT.mkdir(parents=True, exist_ok=True)
results = []
for lockfile in ROOT.rglob("composer.lock"):
data = json.loads(lockfile.read_text(encoding="utf-8", errors="ignore"))
for package in data.get("packages", []) + data.get("packages-dev", []):
if package.get("name") == "drupal/core":
version = str(package.get("version", "")).lstrip("v")
results.append({
"cve": CVE,
"source": SOURCE,
"file": str(lockfile),
"installed_version": version,
"accepted_fixed_versions": FIXED,
"fixed_or_unaffected": fixed_or_unaffected(version),
})
(OUT / "drupal-cve-2026-9082-patch-verification.json").write_text(json.dumps(results, indent=2, sort_keys=True), encoding="utf-8")
# Remediation trigger: fixed_or_unaffected false for any PostgreSQL-backed Drupal Core deployment keeps the site open for CVE-2026-9082.
print(json.dumps({"out": str(OUT), "checked": len(results), "not_closed": [r for r in results if not r["fixed_or_unaffected"]]}, indent=2))