CVE-2026-9082

CRITICAL9.8⚠ KEVEPSS 7.7%

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Published: 5/20/2026Modified: 5/29/2026Added to CISA KEV: 5/22/2026

Also known as:BIT-drupal-2026-9082DRUPAL-CORE-2026-004

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

Affected packages (1)

Packagist/drupal/core>= 8.9.0, < 10.4.10 | >= 10.5.0, < 10.5.10 | >= 10.6.0, < 10.6.9 | >= 11.0.0, < 11.1.10 | >= 11.2.0, < 11.2.12 | >= 11.3.0, < 11.3.10

CVSS scores

Source	Version	Severity	Vector
nvd	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (3)

WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-9082
WEBhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-9082
WEBhttps://www.drupal.org/sa-core-2026-004