Drupal core – Highly critical – SQL injection – SA-CORE-2026-004

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection.

This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

Basic Information

ID CVE-2026-9082

Source drupal

Published May 20, 2026 at 18:20

Modified May 20, 2026 at 19:37

Affected Product

Vendor Drupal

Product Drupal core

Version 8.9.0

Affected Versions Drupal Drupal core 8.9.0
Drupal Drupal core 10.5.0
Drupal Drupal core 10.6.0
Drupal Drupal core 11.0.0
Drupal Drupal core 11.2.0
Drupal Drupal core 11.3.0

CWE Classification

CWE-89

References

www.drupal.org /sa-core-2026-004

{
    "lastseen": "",
    "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection.\n\nThis issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.",
    "published": "2026-05-20T18:20:52.863Z",
    "modified": "2026-05-20T19:37:09.384Z",
    "type": "cve",
    "title": "Drupal core - Highly critical - SQL injection - SA-CORE-2026-004",
    "source": "drupal",
    "references": "https://www.drupal.org/sa-core-2026-004",
    "id": "CVE-2026-9082",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "Drupal Drupal core 8.9.0\nDrupal Drupal core 10.5.0\nDrupal Drupal core 10.6.0\nDrupal Drupal core 11.0.0\nDrupal Drupal core 11.2.0\nDrupal Drupal core 11.3.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Drupal core",
    "version": "8.9.0",
    "vendor": "Drupal",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Drupal core – Highly critical – SQL injection – SA-CORE-2026-004_CVE-2026-9082