Critical severity9.8CISA KEVNVD Advisory· Published May 20, 2026· Updated May 22, 2026
CVE-2026-9082
CVE-2026-9082
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection.
This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.9.0, < 10.4.10 | 10.4.10 |
drupal/corePackagist | >= 10.5.0, < 10.5.10 | 10.5.10 |
drupal/corePackagist | >= 10.6.0, < 10.6.9 | 10.6.9 |
drupal/corePackagist | >= 11.0.0, < 11.1.10 | 11.1.10 |
drupal/corePackagist | >= 11.2.0, < 11.2.12 | 11.2.12 |
drupal/corePackagist | >= 11.3.0, < 11.3.10 | 11.3.10 |
Affected products
3- Range: >=8.9.0, <10.4.10 || >=10.5.0, <10.5.10 || >=10.6.0, <10.6.9 || >=11.0.0, <11.1.10 || >=11.2.0, <11.2.12 || >=11.3.0, <11.3.10
Patches
Vulnerability mechanics
References
4- www.drupal.org/sa-core-2026-004nvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-ghwc-95x2-682jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-9082ghsaADVISORY
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government Resource
News mentions
12- CISA orders feds to patch actively exploited Drupal vulnerabilityBleepingComputer · May 26, 2026
- 25th May – Threat Intelligence ReportCheck Point Research · May 25, 2026
- ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain ChaosThe Hacker News · May 25, 2026
- CISA Warns of Drupal Core SQL Injection Vulnerability Exploited in AttacksCyber Security News · May 25, 2026
- Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEVThe Hacker News · May 23, 2026
- Drupal Vulnerability in Hacker Crosshairs Shortly After DisclosureSecurityWeek · May 22, 2026
- Drupal: Critical SQL injection flaw now targeted in attacksBleepingComputer · May 22, 2026
- CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)Tenable Blog · May 21, 2026
- Drupal Patches Highly Critical Vulnerability Exposing Websites to HackingSecurityWeek · May 21, 2026
- Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE AttacksThe Hacker News · May 21, 2026
- Drupal core - Highly critical - SQL injection - SA-CORE-2026-004Drupal Security Advisories · May 20, 2026
- CISA Adds One Known Exploited Vulnerability to CatalogCISA Alerts