CVE-2026-9082
Drupal Core SQL Injection Vulnerability - [Actively Exploited]
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.
INFO
Published Date :
May 20, 2026, 8:16 p.m.
Last Modified :
May 22, 2026, 7:38 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Unknown
https://www.drupal.org/sa-core-2026-004 ; https://nvd.nist.gov/vuln/detail/CVE-2026-9082
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | ||||
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Update Drupal core immediately.
- Apply the latest security patches.
Public PoC/Exploit Available at Github
CVE-2026-9082 has a 16 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-9082.
| URL | Resource |
|---|---|
| https://www.drupal.org/sa-core-2026-004 | Patch Vendor Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-9082 | US Government Resource |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-9082 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-9082
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Drupal Core PostgreSQL SQLi to RCE via /user/login (CVE-2026-9082 / SA-CORE-2026-004)
drupal exploit postgresql rce security-research sqli cve-2026-9082
Python
lab + PoCs for 5 CVEs (Next.js + Drupal)
Dockerfile TypeScript JavaScript Shell Python
Drupal CVE-2026-9082 Blind SQL Injection Checker
Python
Actively exploited CVE scanners from CISA KEV + Twitter trends - Drupal SQLi, PAN-OS RCE, Android ADBD, GHE RCE, BeyondTrust, Defender, and more
Python
Search & extract tweets without API keys - find trending hacking issues, CVEs, and cybersecurity discussions
Python
Drupal PostgreSQL SQLi Scanner - Unauthenticated SQL Injection in Drupal Core via JSON:API (CISA KEV May 2026)
Python
PoC for CVE-2026-9082 (Drupal SA-CORE-2026-004) Drupal Core SQLi
drupal poc vulnerablity
Makefile Dockerfile Python
Drupal Core PostgreSQL SQL Injection PoC - CVE-2026-9082. Ethical PoC for the Drupal vulnerability allowing anonymous SQL injection through the JSON:API module on PostgreSQL-backed sites.
Python
CVE-2026-9082
Python
cve poc
CVE-2026-9082 | SA-CORE-2026-004
Shell Python
None
Python
KQL Queries
Audit CVE impact, patch status, remediation progress, and verification results across systems.
Makefile Go
None
HTML Shell
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-9082 vulnerability anywhere in the article.
-
CybersecurityNews
CISA Warns of Drupal Core SQL Injection Vulnerability Exploited in Attacks
CISA has issued an urgent alert regarding a critical SQL injection vulnerability in Drupal Core, tracked as CVE-2026-9082, which is now being actively exploited in real-world attacks. The flaw, classi ... Read more
-
TheCyberThrone
CVE-2026-9082 – Drupal Core SQL Injection
May 24, 2026CVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core’s database abstraction API, specifically in the PostgreSQL EntityQuery condition handler. An unauthenticated, ... Read more
-
The Hacker News
Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw impacting Drupal Core to its Known Exploited Vulnerabilities (KEV) catalog, based o ... Read more
-
security.nl
Drupal meldt actief misbruik van zeer kritiek SQL Injection-lek
De ontwikkelaars van het contentmanagementsysteem (CMS) Drupal waarschuwen voor actief misbruik van een zeer kritiek SQL Injection-lek (CVE-2026-9082). Via de kwetsbaarheid kan een aanvaller toegang t ... Read more
-
security.nl
Zeer kritiek Drupal-lek maakt SQL Injection mogelijk, updates beschikbaar
Een zeer kritieke kwetsbaarheid in het contentmanagementsysteem (CMS) Drupal maakt SQL Injection mogelijk. Daardoor kunnen aanvallers toegang tot informatie krijgen. In bepaalde gevallen kan een aanva ... Read more
-
The Hacker News
Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks
Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or infor ... Read more
The following table lists the changes that have been made to the
CVE-2026-9082 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
May. 22, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 10.5.0 up to (excluding) 10.5.10 *cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 10.6.0 up to (excluding) 10.6.9 *cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 11.0.0 up to (excluding) 11.1.10 *cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 11.2.0 up to (excluding) 11.2.12 *cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 11.3.0 up to (excluding) 11.3.10 *cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.9.0 up to (excluding) 10.4.10 Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-9082 Types: US Government Resource Added Reference Type Drupal.org: https://www.drupal.org/sa-core-2026-004 Types: Patch, Vendor Advisory -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
May. 22, 2026
Action Type Old Value New Value Removed CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Removed CWE CWE-89 Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-9082 -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
May. 22, 2026
Action Type Old Value New Value Added Date Added 2026-05-22 Added Due Date 2026-05-22 Added Required Action 2026-05-22 Added Vulnerability Name 2026-05-22 -
CVE Modified by [email protected]
May. 22, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
May. 22, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Removed CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N -
New CVE Received by [email protected]
May. 20, 2026
Action Type Old Value New Value Added Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10. Added CWE CWE-89 Added Reference https://www.drupal.org/sa-core-2026-004 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
May. 20, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Added CWE CWE-89