cbcvebase.
CVE-2026-9082
published 2026-05-20

CVE-2026-9082: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-05-27
Exploited in the wild
EPSS
84.63%
99.7th percentile
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

Affected

19 ranges
VendorProductVersion rangeFixed in
drupalcore>= 10.5.0 < 10.5.1010.5.10
drupalcore>= 10.6.0 < 10.6.910.6.9
drupalcore>= 11.0.0 < 11.1.1011.1.10
drupalcore>= 11.2.0 < 11.2.1211.2.12
drupalcore>= 11.3.0 < 11.3.1011.3.10
drupalcore>= 8.9.0 < 10.4.1010.4.10
drupaldrupal>= 10.5.0 < 10.5.1010.5.10
drupaldrupal>= 10.6.0 < 10.6.910.6.9
drupaldrupal>= 11.0.0 < 11.1.1011.1.10
drupaldrupal>= 11.2.0 < 11.2.1211.2.12
drupaldrupal>= 11.3.0 < 11.3.1011.3.10
drupaldrupal>= 8.9.0 < 10.4.1010.4.10
drupaldrupal_core
drupaldrupal_core>= 10.5.0 < 10.5.1010.5.10
drupaldrupal_core>= 10.6.0 < 10.6.910.6.9
drupaldrupal_core>= 11.0.0 < 11.1.1011.1.10
drupaldrupal_core>= 11.2.0 < 11.2.1211.2.12
drupaldrupal_core>= 11.3.0 < 11.3.1011.3.10
drupaldrupal_core>= 8.9.0 < 10.4.1010.4.10

Detection & IOCsextracted from sources · hover to see the quote

  • Exploitation targets Drupal sites using PostgreSQL backends; attackers send specially crafted requests to the database abstraction API to trigger arbitrary SQL injection — non-PostgreSQL sites are not directly exploitable via this vector
  • Vulnerability is exploitable without authentication — monitor for unauthenticated/anonymous requests that contain SQL metacharacters or anomalous query structures hitting Drupal endpoints
  • Current observed attacker behaviour is predominantly reconnaissance and scanning to identify exposed PostgreSQL-backed Drupal installations — look for high-volume, low-payload probe requests across Drupal sites
  • Attack campaigns are disproportionately targeting gaming and financial services verticals — prioritise monitoring and patching for Drupal deployments in those sectors
  • Over 15,000 attack attempts observed against ~6,000 individual sites across 65 countries within days of disclosure — broad internet-wide scanning is underway; ensure Drupal version banners are suppressed and WAF rules are active
  • Check Point IPS signature is available for this threat — deploy or verify the named rule is active on perimeter IPS devices
  • Shadowserver tracks nearly 670 unpatched Drupal installations exposed online, concentrated in North America (272) and Europe (273) — use Shadowserver or Shodan data to identify and prioritise unpatched internet-facing Drupal instances
  • ·Only Drupal sites using PostgreSQL as the database backend are directly exploitable via this SQL injection; MySQL/MariaDB-backed sites are not affected by this specific vector, though patching is still recommended for upstream dependency fixes (Symfony, Twig)
  • ·Drupal 7 is not affected by CVE-2026-9082

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck6.5MEDIUM
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.