SQL Injection Vulnerability in Drupal Core by Drupal
CVE-2026-9082

6.5MEDIUM

Key Information:

Vendor: Drupal
Status: Drupal Core
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-9082?

An SQL Injection vulnerability exists in Drupal Core that arises from improper neutralization of special elements utilized in SQL commands. This flaw allows attackers to manipulate SQL queries, potentially leading to unauthorized access to sensitive data. Affected versions include those from 8.9.0 to 10.4.10, 10.5.0 to 10.5.10, 10.6.0 to 10.6.9, 11.0.0 to 11.1.10, 11.2.0 to 11.2.12, and 11.3.0 to 11.3.10, underscoring the need for immediate updates to mitigate risks.

Affected Version(s)

Drupal core 8.9.0 < 10.4.10

Drupal core 10.5.0 < 10.5.10

Drupal core 10.6.0 < 10.6.9

References

https://www.drupal.org/sa-core-2026-004

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
May 20, 2026

Credit

Michael Maturi (michaelmaturi)

Björn Brala (bbrala)

Benji Fisher (benjifisher)

catch (catch)

Lee Rowlands (larowlan)

Dave Long (longwave)

Drew Webber (mcdruid)

Jess (xjm)

Anna Kalata (akalata)

Benji Fisher (benjifisher)

catch (catch)

Damien McKenna (damienmckenna)

Neil Drumm (drumm)

Greg Knaddison (greggles)

Heine Deelstra (heine)

Tim Hestenes Lehnen (hestenet)

Dave Long (longwave)

Drew Webber (mcdruid)

Juraj Nemec (poker10)

Pierre Rudloff (prudloff)

Jess (xjm)

Cathy Theys (yesct)

CVE-2026-9082 Data

JSON