CVE-2026-9082

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

CVSS Metrics

• v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Trends

Current EPSS score: 12.57%• Percentile: 94%

Techniques & Countermeasures

• CWE-89•Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Affected Systems

• drupal•drupal core

  ≥ 8.9.0, < 10.4.10 | ≥ 10.5.0, < 10.5.10 | ≥ 10.6.0, < 10.6.9 | ≥ 11.0.0, < 11.1.10 | ≥ 11.2.0, < 11.2.12 | ≥ 11.3.0, < 11.3.10

References (2)

• https://www.drupal.org/sa-core-2026-004
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-9082