CVE-2026-9082
Published May 20, 2026
Last updated 22 days ago
AI description
CVE-2026-9082 is a SQL injection vulnerability found within the database abstraction API of Drupal core. This flaw specifically impacts Drupal websites that utilize PostgreSQL databases. An attacker can exploit this vulnerability by sending specially crafted requests, which can lead to arbitrary SQL injection. Successful exploitation of CVE-2026-9082 can result in information disclosure, and in some cases, privilege escalation or remote code execution. This vulnerability can be exploited by anonymous users. The security updates released for this issue also include fixes for upstream dependencies like Symfony and Twig.
- Description
- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.
- Source
- mlhess@drupal.org
- NVD status
- Analyzed
- Products
- drupal
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Data from CISA
- Vulnerability name
- Drupal Core SQL Injection Vulnerability
- Exploit added on
- May 22, 2026
- Exploit action due
- May 27, 2026
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- mlhess@drupal.org
- CWE-89
- Hype score
- Not currently trending
00:00 UTC: CVE-2026-9082 disclosed. CISA: CVE-2026-9082 added to Known Exploited Vulnerabilities — Drupal Core Status: ✅ Confirmed exploited in the wild Date added: 2026-05-22 Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01…
@lyrie_ai
11 Jun 2026
52 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
In the news: CVE-2026-9082 and the Hidden Risk in Drupal's Core - A recently discovered vulnerability in Drupal Core, tracked as CVE-2026-9082 has been exploited in the wild and added to the United States Cybersecurity and Infrastructure Security Agency.. https://t.co/TnL0KZxLL5
@security_buzz
8 Jun 2026
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
18:10 UTC: CVE-2026-9082 disclosed. CVE-2026-9082: Drupal's Highly Critical SQL Injection Flaw Is Already Under Active Attack 0day Intel: CVE-2026-9082: Drupal's Highly Critical SQL Injection Flaw Is Already Under Acti
@lyrie_ai
7 Jun 2026
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
07:26 UTC: CVE-2026-9082 disclosed. 🚨 Drupal Core SQL injection is now actively exploited. CISA added CVE-2026-9082 to its KEV ca 0day Intel: 🚨 Drupal Core SQL injection is now actively exploited.
@lyrie_ai
7 Jun 2026
19 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2026-9082. 0day Intel: Our team at @SLCyberSec / @assetnote just shipped a same-day breakdown of CVE-20
@lyrie_ai
7 Jun 2026
21 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CISA KEV 警告 26/05/22:Drupal Core の脆弱性 CVE-2026-9082 を KEV に登録 https://t.co/oqtl99SX5i この記事で取り上げられている脆弱性 CVE-2026-9082 は、プラットフォームのデータベース抽象化 API における、ユーザー入力処理
@iototsecnews
1 Jun 2026
75 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
يوضح هذا المنشور ثغرة الأمان CVE-2026-9082 في نواة Drupal والتي تتعلق بـ PostgreSQL SQL Injection. نقدم لكم نظرة عامة والدروس المستفادة من هذه القضية. An overview and key takeaways of the Drupal
@fad_777
31 May 2026
39 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-9082: Drupal’s PostgreSQL SQL injection is being probed — update your sites https://t.co/pUlEGPUajH
@ToolsLib
30 May 2026
45 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Très belle chaine d'exploitation. SQLi Drupal CVE-2026-9082 -> RCE, bravo ! https://t.co/Q0ndZUqIgO
@mynameisv_
28 May 2026
121 Impressions
1 Retweet
0 Likes
1 Bookmark
0 Replies
0 Quotes
CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004) https://t.co/pwABPoKUVO https://t.co/8Pjdrnddvj
@IT_Peurico
27 May 2026
21 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Legacy exposure keeps paying off for attackers. CVE-2026-9082 makes Drupal on PostgreSQL an urgent KEV pa… CVE-2026-9082 gives anonymous attackers an SQL injection path against PostgreSQL-backed Dru… 🔗 Read → https://t.co/2rW6eHWr9A
@fynn_JourX
27 May 2026
44 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🛑 CVE-2026-9082 makes Drupal on PostgreSQL an urgent KEV patch priority CVE-2026-9082 gives anonymous attackers an SQL injection path against PostgreSQL-backed Dru… 🔗 Details → https://t.co/rE7ofyw65J
@lucasverdan
27 May 2026
80 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
For defenders, cve-2026-9082 makes drupal on postgresql an urgent kev patch pr… should move fast. CVE-2026-9082 gives anonymous attackers an SQL injection path against PostgreSQL-backed Dru… 🔗 Details → https://t.co/Yj5xWsLWJK
@SocXAInvaders
27 May 2026
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Drupal pod palbou: kritická SQL injection sledovaná jako CVE-2026-9082 20.května vydal bezpečnostní tým Drupalu upozornění SA-CORE-2026-004, které popisuje vysoce kritickou zranitelnost v jádře tohoto populárního open-source CMS, sledovanou jako CVE-2026-9082. SQL
@zakpatrik
26 May 2026
91 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
GitHub - 7h30th3r0n3/CVE-2026-9082-Drupal-PoC: Drupal Core PostgreSQL SQL Injection PoC - CVE-2026-9082. Ethical PoC for the Drupal vulnerability allowing anonymous SQL injection through the JSON:API module on PostgreSQL-backed sites. · GitHub https://t.co/AoCC9is91N
@akaclandestine
26 May 2026
1418 Impressions
5 Retweets
18 Likes
11 Bookmarks
0 Replies
0 Quotes
CVE-2026-9082 في Drupal Core، SQL injection في database abstraction API، تستهدف المواقع التي تستخدم PostgreSQL. تُستغل بدون مصادقة وتؤدي لـ RCE أو privilege escalation حسب الإعداد. تؤثر على Drupal 8 حتى 11.
@KasperskyDev
26 May 2026
108 Impressions
1 Retweet
0 Likes
0 Bookmarks
1 Reply
0 Quotes
【DrupalのCVE-2026-9082に悪用試行、PostgreSQL利用サイトは要確認】 DrupalのCVE-2026-9082について、公開後まもなく悪用試行が確認されています。
@01ra66it
26 May 2026
245 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004) https://t.co/Ms59fcXQ2a https://t.co/tmlu99zTQ1
@Art_Capella
25 May 2026
37 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-9082: Vulnerabilidade de Injeção SQL Altamente Crítica no Núcleo do Drupal (SA-CORE-2026-004) https://t.co/M6fKoRQGlC https://t.co/6ZkEBgZeA1
@dansantanna
25 May 2026
36 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-9082: Drupal's Highly Critical SQL Injection Flaw Is Already Under Active Attack https://t.co/RqZj0fE0Rf
@ohhara_shiojiri
25 May 2026
81 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-9082: Critical Drupal SQL Injection Flaw Exploited https://t.co/8lylyQdNky #Cybertrending #Cybernewsdaily #Cybersecurity
@CyberInsights1
25 May 2026
12 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-9082: Critical Drupal SQL Injection Flaw Exploited https://t.co/ABmw5D0KC2 #Cybertrending #Cybernewsdaily #Cybersecurity
@cybrsecpath
25 May 2026
16 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-9082: Critical Drupal SQL Injection Flaw Exploited https://t.co/od3LizXff5 #Cybertrending #Cybernewsdaily #Cybersecurity
@TheCyberDef
24 May 2026
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-9082: Critical Drupal SQL Injection Flaw Exploited https://t.co/CtySYfiXp1 #Cybertrending #Cybernewsdaily #Cybersecurity
@unknownmatter19
24 May 2026
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🔥 Urgence Critique CISA : CVE-2026-9082, l’Injection SQL Active dans Drupal Core Menace des Milliers de Sites avec une échéance fixée au 27 mai 2026. #zoneantimalware https://t.co/JPKiMAEzsm
@NicolasCoolman
24 May 2026
48 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🛡️⚔️ VULNCHEFAI Morning Threat Intel 3 active CISA KEVs confirmed in the wild: • CVE-2026-9082 — Drupal Core (patch by May 27) • CVE-2025-34291 — Langflow • CVE-2026-34926 — Trend Micro Apex One Real-world exposures already showing on Shodan. Patch th
@CyberchefG
24 May 2026
241 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Drupal CVE-2026-9082 Blind SQL Injection Checker 👾💉 🔗 https://t.co/vUxmFfHCGT 🔗 https://t.co/N6QEWRC7vm 🔗 https://t.co/8FeI5kQpkt https://t.co/frr4dCYakL
@N45HTOfficial
24 May 2026
84 Impressions
0 Retweets
0 Likes
2 Bookmarks
0 Replies
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2026-9082 2 - CVE-2026-9256 3 - CVE-2026-44578 4 - CVE-2026-42897 5 - CVE-2024-23265 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
24 May 2026
133 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🔴 Drupal, SQL Injection, #CVE-2026-9082 (Critical) https://t.co/d6hipi9g5W
@dailycve
24 May 2026
71 Impressions
2 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
Intel Report [CRITICAL] - On May 20, 2026, the Drupal Security Team released SA-CORE-2026-004 addressing CVE-2026-9082, a highly critical SQL injection vulnerability in Drupal core's database abstraction API. The flaw specifically affects Drupal sites... https://t.co/i2pB1lYaq6
@EnigmaGlobalSW
24 May 2026
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Acaba de confirmarse: la vulnerabilidad de inyección de SQL en Drupal, CVE-2026-9082, ya está siendo explotada activamente por atacantes. El equipo de seguridad de Drupal emitió un parche de seguridad altamente crítico el 20 de mayo para CVE-2026-9082, una vulnerabilida
@BotBauR
23 May 2026
96 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-9082: Drupal's Highly Critical SQL Injection Flaw Is Already Under Active Attack https://t.co/Upg2WfWtV7
@VivekIntel
23 May 2026
151 Impressions
0 Retweets
2 Likes
3 Bookmarks
0 Replies
0 Quotes
CVE-2026-9082: Drupal’s Highly Critical SQL Injection Flaw Is Already Under Active Attack: Attackers began exploiting Drupal SQL injection flaw CVE-2026-9082 within 48 hours of patch release. Drupal issued a highly critical security patch on May 20 for… https://t.co/RuGDmsZJz
@shah_sheikh
23 May 2026
51 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Drupal Vulnerability CVE-2026-9082 in Hacker Crosshairs Shortly After Disclosure https://t.co/GoLcLNPEz0
@SecurityWeek
23 May 2026
1231 Impressions
4 Retweets
5 Likes
0 Bookmarks
0 Replies
1 Quote
【サイバーセキュリティ動向分析】 トレンドのセキュリティニュース(2026年5月23日時点) Drupal Core SQL Injection脆弱性(CVE-2026-9082)が積極的に悪用中 https://t.co/hmqRlLQbNN https://t.co/RXW7NklWcL LiteSpeed cPanel Pluginの深
@kenebeii
23 May 2026
70 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🔗 Read more: 🔍 Drupal Core SQL Injection Vulnerability Added to KEV Catalog 📝 Drupal Core CVE-2026-9082 exploited, poses significant risk to federal networks. https://t.co/2IYdNSslHv 📰 Alerts #CVE #ZeroDay
@Bug_X_hunter
22 May 2026
109 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 New CISA KEV: CVE-2026-9082 Drupal Core https://t.co/J59A3gT34n #boarnet #cybersecurity #cisakev #cve #threatintelligence #malware https://t.co/OKWbQGBrUw
@boarnetio
22 May 2026
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
أداة جديدة لاستخراج البيانات من ثغرة Drupal CVE-2026-9082 بأسلوب Boolean Blind. تفاصيل الأداة والتطبيق العملي موضحة في المراجع المرفقة للمهتمين باختبار الاختراق وتأمي
@fad_777
22 May 2026
39 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2026-42945 2 - CVE-2026-46333 3 - CVE-2026-9082 4 - CVE-2026-31431 5 - CVE-2025-34291 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
22 May 2026
267 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🔒 #CyberSecurity CVE-2026-9082: Drupal Core PostgreSQL Flaw — Detection and Hardening "Drupal sites using PostgreSQL are vulnerable to CVE-2026-9082. Attackers can exploit the DB API for…" 🔗 https://t.co/xens0eCSB4 #CyberSecurity #ThreatIntel #cve #zeroday #patchtue
@SecurityAr58409
21 May 2026
80 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Kritická zranitelnost v Drupalu (SA-CORE-2026-004, CVE-2026-9082) https://t.co/ewtcPe8zwO
@abclinuxu
21 May 2026
106 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-9082 Drupal core SQL injection https://t.co/tXNX2vDXek https://t.co/DKlMy016cM
@h4x0r_dz
20 May 2026
15860 Impressions
46 Retweets
266 Likes
105 Bookmarks
0 Replies
0 Quotes
Drupal core highly critical security update (CVE-2026-9082) https://t.co/LzB0UHVh3L
@getpantheon
20 May 2026
218 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D913070F-48D6-4282-8F54-72F40C57EFE9",
"versionEndExcluding": "10.4.10",
"versionStartIncluding": "8.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "358B0EE2-C620-4B3C-ACF3-A0537BF3DCD9",
"versionEndExcluding": "10.5.10",
"versionStartIncluding": "10.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "27F0A477-45CF-4670-A40B-C45EF45DDFD8",
"versionEndExcluding": "10.6.9",
"versionStartIncluding": "10.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CA9EE15-B47E-416A-9486-8A3CA815EF22",
"versionEndExcluding": "11.1.10",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F34F68CB-E0D0-4F30-9B8C-7A51BF285F26",
"versionEndExcluding": "11.2.12",
"versionStartIncluding": "11.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C878524F-B5D0-4894-81BD-6E17AFB30A4A",
"versionEndExcluding": "11.3.10",
"versionStartIncluding": "11.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]