VYPR
Critical severity9.8CISA KEVNVD Advisory· Published May 20, 2026· Updated May 22, 2026

CVE-2026-9082

CVE-2026-9082

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection.

This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
drupal/corePackagist
>= 8.9.0, < 10.4.1010.4.10
drupal/corePackagist
>= 10.5.0, < 10.5.1010.5.10
drupal/corePackagist
>= 10.6.0, < 10.6.910.6.9
drupal/corePackagist
>= 11.0.0, < 11.1.1011.1.10
drupal/corePackagist
>= 11.2.0, < 11.2.1211.2.12
drupal/corePackagist
>= 11.3.0, < 11.3.1011.3.10

Affected products

3
  • Drupal/Drupalinferred
  • Range: >=8.9.0, <10.4.10 || >=10.5.0, <10.5.10 || >=10.6.0, <10.6.9 || >=11.0.0, <11.1.10 || >=11.2.0, <11.2.12 || >=11.3.0, <11.3.10
  • osv-coords
    Range: >= 8.9.0, < 10.4.10

Patches

Vulnerability mechanics

References

4

News mentions

12