CVE-2026-9082

MEDIUM

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

CVSS v3.1 Score

6.5
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
NETWORK
Complexity
LOW
Privileges
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Published: 5/20/2026Modified: 5/21/2026

Related Intelligence (6)

CRITICALVulnerability

Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw impacting Drupal Core to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2026-9082 (CVSS score: 6.5), an SQL injection vulnerability affecting all supported versions of Drupal Core. "Drupal Core

CVE-2026-9082
The Hacker News
MEDIUMVulnerability

Drupal Vulnerability in Hacker Crosshairs Shortly After Disclosure

Drupal is warning users that it has already seen attempts to exploit CVE-2026-9082 and security firms are seeing attacks against thousands of websites. The post Drupal Vulnerability in Hacker Crosshairs Shortly After Disclosure appeared first on SecurityWeek .

CVE-2026-9082
SecurityWeek
HIGHVulnerability

CISA KEV: Drupal Core — Drupal Core SQL Injection Vulnerability

Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API.

CVE-2026-9082Drupal Core
CISA KEV
CRITICALVulnerability

Drupal Patches Highly Critical Vulnerability Exposing Websites to Hacking

CVE-2026-9082 can be exploited without authentication for information disclosure, privilege escalation, and remote code execution. The post Drupal Patches Highly Critical Vulnerability Exposing Websites to Hacking appeared first on SecurityWeek .

CVE-2026-9082
SecurityWeek
CRITICALVulnerability

Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks

Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure. The vulnerability, now tracked as CVE-2026-9082, carries a CVSS score of 6.5 out of 10.0, per CVE.org. Drupal said the vulnerability resides in a database abstraction API that is

CVE-2026-9082
The Hacker News
CRITICALVulnerability

Drupal admins rushing to patch maximum severity SQL injection vulnerability

Administrators of the Drupal open source content management platform are rushing to install an emergency patch issued today to fix a “highly critical” SQL injection vulnerability in the application’s core. While the vulnerability only affects websites that use the PostgreSQL database, there may be upstream issues with Symfony, a set of PHP packages and web application frameworks used by Drupal, an

CVE-2026-9082
CSO Online

References (1)

https://www.drupal.org/sa-core-2026-004