CVE-2026-9082
published 2026-05-20CVE-2026-9082: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue…
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-05-27
Exploited in the wild
EPSS
84.63%
99.7th percentile
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection.
This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 10.5.0 < 10.5.10 | 10.5.10 |
| drupal | core | >= 10.6.0 < 10.6.9 | 10.6.9 |
| drupal | core | >= 11.0.0 < 11.1.10 | 11.1.10 |
| drupal | core | >= 11.2.0 < 11.2.12 | 11.2.12 |
| drupal | core | >= 11.3.0 < 11.3.10 | 11.3.10 |
| drupal | core | >= 8.9.0 < 10.4.10 | 10.4.10 |
| drupal | drupal | >= 10.5.0 < 10.5.10 | 10.5.10 |
| drupal | drupal | >= 10.6.0 < 10.6.9 | 10.6.9 |
| drupal | drupal | >= 11.0.0 < 11.1.10 | 11.1.10 |
| drupal | drupal | >= 11.2.0 < 11.2.12 | 11.2.12 |
| drupal | drupal | >= 11.3.0 < 11.3.10 | 11.3.10 |
| drupal | drupal | >= 8.9.0 < 10.4.10 | 10.4.10 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 10.5.0 < 10.5.10 | 10.5.10 |
| drupal | drupal_core | >= 10.6.0 < 10.6.9 | 10.6.9 |
| drupal | drupal_core | >= 11.0.0 < 11.1.10 | 11.1.10 |
| drupal | drupal_core | >= 11.2.0 < 11.2.12 | 11.2.12 |
| drupal | drupal_core | >= 11.3.0 < 11.3.10 | 11.3.10 |
| drupal | drupal_core | >= 8.9.0 < 10.4.10 | 10.4.10 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploitation targets Drupal sites using PostgreSQL backends; attackers send specially crafted requests to the database abstraction API to trigger arbitrary SQL injection — non-PostgreSQL sites are not directly exploitable via this vector ↗
- →Vulnerability is exploitable without authentication — monitor for unauthenticated/anonymous requests that contain SQL metacharacters or anomalous query structures hitting Drupal endpoints ↗
- →Current observed attacker behaviour is predominantly reconnaissance and scanning to identify exposed PostgreSQL-backed Drupal installations — look for high-volume, low-payload probe requests across Drupal sites ↗
- →Attack campaigns are disproportionately targeting gaming and financial services verticals — prioritise monitoring and patching for Drupal deployments in those sectors ↗
- →Over 15,000 attack attempts observed against ~6,000 individual sites across 65 countries within days of disclosure — broad internet-wide scanning is underway; ensure Drupal version banners are suppressed and WAF rules are active ↗
- →Check Point IPS signature is available for this threat — deploy or verify the named rule is active on perimeter IPS devices ↗
- →Shadowserver tracks nearly 670 unpatched Drupal installations exposed online, concentrated in North America (272) and Europe (273) — use Shadowserver or Shodan data to identify and prioritise unpatched internet-facing Drupal instances ↗
- ·Only Drupal sites using PostgreSQL as the database backend are directly exploitable via this SQL injection; MySQL/MariaDB-backed sites are not affected by this specific vector, though patching is still recommended for upstream dependency fixes (Symfony, Twig) ↗
- ·Drupal 7 is not affected by CVE-2026-9082 ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck6.5MEDIUM
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Drupal Core has a SQL Injection issue
ghsa·2026-05-20
CVE-2026-9082 [CRITICAL] CWE-89 Drupal Core has a SQL Injection issue
Drupal Core has a SQL Injection issue
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection.
This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.
VulDB
Drupal up to 11.3.9 sql injection (core-2026-004)
vuldb·2026-05-20·CVSS 6.5
CVE-2026-9082 [MEDIUM] Drupal up to 11.3.9 sql injection (core-2026-004)
A vulnerability was found in Drupal up to 11.3.9. It has been classified as critical. This issue affects some unknown processing. Performing a manipulation results in sql injection.
This vulnerability is cataloged as CVE-2026-9082. It is possible to initiate the attack remotely. There is no exploit available.
Upgrading the affected component is recommended.
VulnCheck
Drupal Core SQL Injection Vulnerability
vulncheck·2026·CVSS 6.5
CVE-2026-9082 [MEDIUM] CWE-89 Drupal Core SQL Injection Vulnerability
Drupal Core SQL Injection Vulnerability
Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API.
Affected: Drupal Drupal Core
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.drupal.org/sa-core-2026-004
Remediation Due: 2026-05-27
CISA
Drupal Core SQL Injection Vulnerability
cisa·2026-05-22·CVSS 6.5
CVE-2026-9082 [MEDIUM] CWE-89 Drupal Core SQL Injection Vulnerability
Vulnerability: Drupal Core SQL Injection Vulnerability
Affected: Drupal Core
Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.drupal.org/sa-core-2026-004 ; https://nvd.nist.gov/vuln/detail/CVE-2026-9082
Remediation Due Date: 2026-05-27
Drupal
Drupal core - Highly critical - SQL injection - SA-CORE-2026-004
vendor_drupal·2026-05-20
CVE-2026-9082 [CRITICAL] Drupal core - Highly critical - SQL injection - SA-CORE-2026-004
Title: Drupal core - Highly critical - SQL injection - SA-CORE-2026-004
Vulnerability Type: SQL injection
Description: Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks. This vulnerability can be exploited by anonymous users. This SQL injection vulnerability only affects sites using PostgreSQL . However, the third-party dependency updates in these releases apply to all sites. Upstream security advisories The Drupal r
No detection rules found.
Exploit-DB
Drupal Core 10.5.5 - Error-Based SQL Injection
exploitdb·2026-06-01·CVSS 6.5
CVE-2026-9082 [MEDIUM] Drupal Core 10.5.5 - Error-Based SQL Injection
Drupal Core 10.5.5 - Error-Based SQL Injection
---
# Exploit Title: Drupal Core 10.5.5 - Error-Based SQL Injection
# Google Dork: N/A
# Date: 2026-05-31
# Exploit Author: cardosource
# Vendor Homepage: https://www.drupal.org
# Software Link: https://www.drupal.org/project/drupal
# Version: Drupal Core 10.5.5
# Tested on: Debian Linux (Docker), PHP 8.2, Apache, PostgreSQL 17
# CVE: CVE-2026-9082
#
# Description:
# This proof-of-concept demonstrates an Error-Based SQL Injection in
# Drupal Core 10.5.5 (PostgreSQL). User-controlled JSON:API filter
# array keys influence SQL query construction, allowing database
# information disclosure through SQL error messages.
import requests
import json
from urllib.parse import urlencode
TARGET_URL = "http://localhost:8080/jsonapi/node/article"
BANN
Nuclei
Drupal Core - Anonymous SQL Injection via PostgreSQL Entity Query
nuclei·CVSS 6.5
CVE-2026-9082 [MEDIUM] Drupal Core - Anonymous SQL Injection via PostgreSQL Entity Query
Drupal Core - Anonymous SQL Injection via PostgreSQL Entity Query
Drupal core from 8.9.0 before 10.4.10, 10.5.0 before 10.5.10, 10.6.0 before 10.6.9, 11.0.0 before 11.1.10, 11.2.0 before 11.2.12, and 11.3.0 before 11.3.10 contains an SQL injection caused by improper neutralization of special elements in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires crafted input.
Template:
id: CVE-2026-9082
info:
name: Drupal Core - Anonymous SQL Injection via PostgreSQL Entity Query
author: slcyber,DhiyaneshDk
severity: critical
description: |
Drupal core from 8.9.0 before 10.4.10, 10.5.0 before 10.5.10, 10.6.0 before 10.6.9, 11.0.0 before 11.1.10, 11.2.0 before 11.2.12, and 11.3.0 before 11.3.10 contains an SQL injection caused by improper neutralization of special e
Tenable
Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
blogs_tenable·2026-05-27
CVE-2023-4966 Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploit
Bleepingcomputer
CISA orders feds to patch actively exploited Drupal vulnerability
blogs_bleepingcomputer·2026-05-26·CVSS 6.5
CVE-2026-9082 [MEDIUM] CISA orders feds to patch actively exploited Drupal vulnerability
## CISA orders feds to patch actively exploited Drupal vulnerability
## Sergiu Gatlan
CISA has given U.S. government agencies until Wednesday evening to secure their servers against an SQL injection vulnerability in the Drupal content management system (CMS) that it flagged as actively exploited.
Drupal is typically used by large organizations managing massive data structures and multi-site installations, including government entities, educational organizations, major research universities, and high-profile enterprise and media organizations.
Google/Mandiant researcher Michael Maturi discovered this vulnerability (now tracked as CVE-2026-9082 ) in Drupal's database abstraction API.
The security flaw can be exploited without authentication, allowing attackers to trigger arbitrary SQL i
Checkpoint
25th May – Threat Intelligence Report
blogs_checkpoint·2026-05-25
CVE-2026-41091 25th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 25th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 25th May, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
7-Eleven, the global convenience store chain, confirmed a breach after an unauthorized access to systems used for franchisee documents. ShinyHunters claimed responsibility and said it stole more than 600,000 Salesforce records containing personal and corporate information, with affected individuals offered identity protection serv
Hackernews
⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
blogs_hackernews·2026-05-25
CVE-2026-46333 ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
Monday recap. Same mess, new week.
A sketchy dev tool got people pwned, old bugs came back from the dead, and security products somehow needed protecting from themselves. A bunch of companies spent the week checking old boxes and forgotten servers they should've patched years ago. Good times.
Phishing crews are getting smarter too - less obvious scam junk, more targeted stuff that actually looks real. Meanwhile, botnets are grabbing anything exposed to the internet like it's free candy. The Internet's still a dumpster fire.
Let’s get into
Hackernews
Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV
blogs_hackernews·2026-05-23·CVSS 6.5
CVE-2026-9082 [MEDIUM] Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw impacting Drupal Core to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation.
The vulnerability in question is CVE-2026-9082 (CVSS score: 6.5), an SQL injection vulnerability affecting all supported versions of Drupal Core.
"Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstra
Bleepingcomputer
Drupal: Critical SQL injection flaw now targeted in attacks
blogs_bleepingcomputer·2026-05-22·CVSS 6.5
CVE-2026-9082 [MEDIUM] Drupal: Critical SQL injection flaw now targeted in attacks
## Drupal: Critical SQL injection flaw now targeted in attacks
## Bill Toulas
Drupal is warning that hackers are attempting to exploit a "highly critical" SQL injection vulnerability announced earlier this week.
The content management system (CMS) project published a PSA on May 18, urging administrators to reserve time for core updates that addressed an issue that threat actors might start exploiting "within hours or days."
The flaw is now tracked as CVE-2026-9082 and was discovered by Google/Mandiant researcher Michael Maturi. It affects Drupal’s database abstraction API. It allows specially crafted requests to trigger arbitrary SQL injection on sites using PostgreSQL.
SQL injection is a flaw in which attackers inject malicious SQL commands into database queries via user input fields
Tenable
Tenable One deepens third-party integrations with new Open Connector for unified risk visibility
blogs_tenable·2026-05-21
CVE-2026-9082 Tenable One deepens third-party integrations with new Open Connector for unified risk visibility
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Tenable One deepens third-party integrations with new Open Connector for unified risk visibility
The days of rigid, vendor-locked security stacks are over. The Tenable One Open Connector amplifies Tenable One’s extensive capacity to ingest and consolidate third-party security data, giving you mo
Hackernews
Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks
blogs_hackernews·2026-05-21·CVSS 6.5
CVE-2026-9082 [MEDIUM] Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks
Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure.
The vulnerability, now tracked as CVE-2026-9082 , carries a CVSS score of 6.5 out of 10.0, per CVE.org. Drupal said the vulnerability resides in a database abstraction API that is used in Drupal Core to validate queries and ensure they are sanitized against SQL injection attacks.
"A vulnerability in this API allows an attacker to send sp
Tenable
CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)
blogs_tenable·2026-05-21·CVSS 6.5
CVE-2026-9082 [MEDIUM] CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)
A highly critical SQL injection vulnerability in Drupal core's database abstraction layer affects sites running PostgreSQL.
## Key Takeaways
CVE-2026-9082 is a highly critical SQL injection vulnerabi
Bugzilla
CVE-2026-9082 drupal: Drupal core: SQL Injection vulnerability allows data manipulation
bugzilla·2026-05-20·CVSS 6.5
CVE-2026-9082 [MEDIUM] CVE-2026-9082 drupal: Drupal core: SQL Injection vulnerability allows data manipulation
CVE-2026-9082 drupal: Drupal core: SQL Injection vulnerability allows data manipulation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection.
This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.
2026-05-20
Published
2026-05-22
Added to CISA KEV
Exploited in the wild