Back
CVE-2026-9082
CRITICAL
CISA KEV
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.
Published: May 20, 2026
Modified: May 22, 2026
CWE-89
CVSS Metrics
CVSSv3
Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products (6)
| Vendor | Product | Version |
|---|---|---|
| drupal | drupal | * ≥ 8.9.0 < 10.4.10 |
| drupal | drupal | * ≥ 10.5.0 < 10.5.10 |
| drupal | drupal | * ≥ 10.6.0 < 10.6.9 |
| drupal | drupal | * ≥ 11.0.0 < 11.1.10 |
| drupal | drupal | * ≥ 11.2.0 < 11.2.12 |
| drupal | drupal | * ≥ 11.3.0 < 11.3.10 |
GitHub Security Advisory GHSA-ghwc-95x2-682j
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')...
References (2)
- https://www.drupal.org/sa-core-2026-004 Patch, Vendor Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-9082 US Government Resource
Risk Scores
CVSS Score
9.8 / 10
EPSS Score
13.03%
Top 6% most likely to be exploited
Threat Score
73.1 / 100
CISA Known Exploited
Date Added:
2026-05-22
Due Date:
2026-05-27
Required Action:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Data Sources
NVD
CISA KEV
EPSS
GitHub