ThreatLevelBeta
Planned Fix

CVE-2026-9082

SQL Injection in Drupal core
Loading...

Summary

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Drupal core allows SQL Injection. The issue affects Drupal core versions from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, and from 11.3.0 before 11.3.10. It can be exploited by anonymous users and only affects sites using PostgreSQL databases.

Why Planned Fix?

4/6
No authentication required
Commonly internet-facing deployment
No user interaction needed
Not exploitable in default configuration
No active exploitation or PoC
High impact vulnerability

Exploitation Details

Type
SQLi (SQL Injection)
Is exploitable with default configuration?
No
Is authentication needed?
No
PoC / Exploit
No
Impact

Execute arbitrary SQL commands against the PostgreSQL database, exposing or altering data and potentially enabling privilege escalation or code execution.

RCE (Remote Code Execution)
Exploitation Requirements
  • PostgreSQL database backend configured
Exploitation Process

An attacker sends specially crafted HTTP requests to a Drupal page or API path that reaches the database abstraction layer on a site configured to use PostgreSQL. The payload is shaped so Drupal generates unsafe SQL, causing the backend database to execute attacker-controlled statements. Success is typically seen through unexpected query results, data extraction, or changes to database state, and may cascade to higher impact on some deployments.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
0

Affected Software

Vendor:Drupal
ProductAffected Versions
Drupal core8.9.0 before 10.4.10, 10.5.0 before 10.5.10, 10.6.0 before 10.6.9, 11.0.0 before 11.1.10, 11.2.0 before 11.2.12, 11.3.0 before 11.3.10
Description

Drupal core is the open-source content management system used to build and run websites, portals, and web applications.

Deployment:Commonly internet-facing
|
Protocol:HTTP/HTTPS
|
Ports:80, 443
Affected ComponentDatabase abstraction API and SQL query construction layer used by Drupal core on PostgreSQL-backed sites.

Database abstraction API and SQL query construction layer used by Drupal core on PostgreSQL-backed sites.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Medium
Remediation
Workaround

Not available

Patch
If you must remain on Drupal 8.9.x or 9.x, apply the best-effort patch linked from SA-CORE-2026-004 for your branch and plan an upgrade off the EOL release line.

If you must remain on Drupal 8.9.x or 9.x, apply the best-effort patch linked from SA-CORE-2026-004 for your branch and plan an upgrade off the EOL release line.

www.drupal.org
Update
Upgrade Drupal core to 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, or 10.4.10, depending on your branch; older 8.9.x and 9.x branches only have best-effort patch support.

Upgrade Drupal core to 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, or 10.4.10, depending on your branch; older 8.9.x and 9.x branches only have best-effort patch support.

www.drupal.org
Threat Intelligence
EPSS data unavailable
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

CVSS Base Score

6.5
Medium

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-89 SQL Injection (SQLi)CWE-89 SQL Injection (SQLi)
|
NVD:CVE-2026-9082
|
Version From:
|
Version Upto:

Sources

2
SourceArticle
www.drupal.orgDrupal core - Highly critical - SQL injection - SA-CORE-2026-004
www.drupal.orgdrupal 11.3.10

Priority History

Planned FixLoading...

Initial analysis