[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-9082":6},{"stargazers_count":4,"fetched_at":5},6,"2026-05-23T17:12:43.660Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":44,"aliases":45,"duplicate_of":9,"upstream":46,"downstream":47,"duplicates":48,"related":49,"reserved_at":9,"published_at":50,"modified_at":51,"state":52,"summary":53,"references_raw":64,"kevs":75,"epss":86,"epss_history":89,"metrics":98,"affected":109},"CVE-2026-9082","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection.\n\nThis issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-89","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.","weakness","Stable","Base","High",[20,24,28,32,36,40],{"id":21,"name":22,"techniques":23},"CAPEC-108","Command Line Execution through SQL Injection",[],{"id":25,"name":26,"techniques":27},"CAPEC-109","Object Relational Mapping Injection",[],{"id":29,"name":30,"techniques":31},"CAPEC-110","SQL Injection through SOAP Parameter Tampering",[],{"id":33,"name":34,"techniques":35},"CAPEC-470","Expanding Control over the Operating System from the Database",[],{"id":37,"name":38,"techniques":39},"CAPEC-66","SQL Injection",[],{"id":41,"name":42,"techniques":43},"CAPEC-7","Blind SQL Injection",[],[],[],[],[],[],[],"2026-05-20T18:20:52.863Z","2026-05-23T03:55:38.207Z","Deferred",{"cisa_kev":54,"cisa_ransomware":55,"cisa_vendor":56,"epss_severity":57,"epss_score":58,"severity":59,"severity_score":60,"severity_version":61,"severity_source":62,"severity_vector":63,"severity_status":52},true,false,"Drupal","medium",0.12571,"critical",9.8,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",[65,70],{"url":66,"sources":67,"tags":69},"https://www.drupal.org/sa-core-2026-004",[62,68],"nvd",[],{"url":71,"sources":72,"tags":73},"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-9082",[62],[74],"Government Resource",[76],{"source":77,"vendor":56,"product":78,"date_added":79,"vulnerability_name":80,"short_description":81,"required_action":82,"due_date":83,"known_ransomware_campaign_use":84,"notes":85,"exploitation_type":9},"cisa","Core","2026-05-22","Drupal Core SQL Injection Vulnerability","Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API.","Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.","2026-05-27","Unknown","https://www.drupal.org/sa-core-2026-004 ; https://nvd.nist.gov/vuln/detail/CVE-2026-9082",{"date":87,"score":58,"percentile":88},"2026-05-23",0.94035,[90,94,97],{"date":91,"score":92,"percentile":93},"2026-05-21",0.00012,0.01651,{"date":79,"score":95,"percentile":96},0.00017,0.04622,{"date":87,"score":58,"percentile":88},[99,103],{"source":62,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":100,"cvss_v4_0":9},{"baseScore":60,"baseSeverity":101,"vectorString":63,"impactScore":60,"exploitabilityScore":102},"CRITICAL",10,{"source":68,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":104,"cvss_v4_0":9},{"baseScore":105,"baseSeverity":106,"vectorString":107,"impactScore":108,"exploitabilityScore":102},6.5,"MEDIUM","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",4.2,[110],{"ecosystem":9,"name":111,"vendor":112,"product":113,"cpe_part":114,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":115},"Drupal core","drupal","drupal core","a",[116,122,126,130,134,138],{"version":117,"is_range":54,"range_type":62,"version_start":118,"version_start_type":119,"version_end":120,"version_end_type":121,"fixed_in":9},">= 8.9.0, \u003C 10.4.10","8.9.0","including","10.4.10","excluding",{"version":123,"is_range":54,"range_type":62,"version_start":124,"version_start_type":119,"version_end":125,"version_end_type":121,"fixed_in":9},">= 10.5.0, \u003C 10.5.10","10.5.0","10.5.10",{"version":127,"is_range":54,"range_type":62,"version_start":128,"version_start_type":119,"version_end":129,"version_end_type":121,"fixed_in":9},">= 10.6.0, \u003C 10.6.9","10.6.0","10.6.9",{"version":131,"is_range":54,"range_type":62,"version_start":132,"version_start_type":119,"version_end":133,"version_end_type":121,"fixed_in":9},">= 11.0.0, \u003C 11.1.10","11.0.0","11.1.10",{"version":135,"is_range":54,"range_type":62,"version_start":136,"version_start_type":119,"version_end":137,"version_end_type":121,"fixed_in":9},">= 11.2.0, \u003C 11.2.12","11.2.0","11.2.12",{"version":139,"is_range":54,"range_type":62,"version_start":140,"version_start_type":119,"version_end":141,"version_end_type":121,"fixed_in":9},">= 11.3.0, \u003C 11.3.10","11.3.0","11.3.10"]