CVE-2026-9082 PUBLISHED

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Assigner: drupal
Reserved: 20.05.2026 Published: 20.05.2026 Updated: 21.05.2026

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection.

This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

Product Status

Vendor Drupal
Product Drupal core
Versions Default: unaffected
  • affected from 8.9.0 to 10.4.10 (excl.)
  • affected from 10.5.0 to 10.5.10 (excl.)
  • affected from 10.6.0 to 10.6.9 (excl.)
  • affected from 11.0.0 to 11.1.10 (excl.)
  • affected from 11.2.0 to 11.2.12 (excl.)
  • affected from 11.3.0 to 11.3.10 (excl.)

Credits

  • Michael Maturi (michaelmaturi) finder
  • Björn Brala (bbrala) remediation developer
  • Benji Fisher (benjifisher) remediation developer
  • catch (catch) remediation developer
  • Lee Rowlands (larowlan) remediation developer
  • Dave Long (longwave) remediation developer
  • Drew Webber (mcdruid) remediation developer
  • Jess (xjm) remediation developer
  • Anna Kalata (akalata) coordinator
  • Benji Fisher (benjifisher) coordinator
  • catch (catch) coordinator
  • Damien McKenna (damienmckenna) coordinator
  • Neil Drumm (drumm) coordinator
  • Greg Knaddison (greggles) coordinator
  • Heine Deelstra (heine) coordinator
  • Tim Hestenes Lehnen (hestenet) coordinator
  • Dave Long (longwave) coordinator
  • Drew Webber (mcdruid) coordinator
  • Juraj Nemec (poker10) coordinator
  • Pierre Rudloff (prudloff) coordinator
  • Jess (xjm) coordinator
  • Cathy Theys (yesct) coordinator

References

Problem Types

  • CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE

Impacts

  • CAPEC-66 SQL Injection