CVE-2026-9082
Drupal core - Highly critical - SQL injection - SA-CORE-2026-004
9.8
CRITICAL
CVSS 3.1
⚠ KEVEPSS 7.7%
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.
How to fix CVE-2026-9082
To remediate CVE-2026-9082, upgrade the affected package to a fixed version below.
- —upgrade to 10.4.10 or later
- —upgrade to 10.4.10 or later
Is CVE-2026-9082 being exploited?
Yes — CVE-2026-9082 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.
Affected packages (2)
- >= 8.9.0, < 10.4.10, >= 10.5.0, < 10.5.10, >= 10.6.0, < 10.6.9, >= 11.0.0, < 11.1.10, >= 11.2.0, < 11.2.12, >= 11.3.0, < 11.3.10
- >= 8.9.0, < 10.4.10 | >= 10.5.0, < 10.5.10 | >= 10.6.0, < 10.6.9 | >= 11.0.0, < 11.1.10 | >= 11.2.0, < 11.2.12 | >= 11.3.0, < 11.3.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| nvd | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |