CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

criticalknown exploitedpublic exploitCVE-2026-9082
Actively exploited. At least one CVE in this advisory is listed in the CISA Known Exploited Vulnerabilities catalog — exploitation has been observed in the wild. Treat remediation as urgent.
Project: Drupal core Date: 2026-May-20 Security risk: Highly critical 23 ∕ 25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:Uncommon Vulnerability: SQL injection Affected versions: >= 8.9.0 < 10.4.10 || >= 10.5.0 < 10.5.10 || >= 10.6.0 < 10.6.9 || >= 11.0.0 < 11.1.10 || >= 11.2.0 < 11.2.12 || >= 11.3.0 < 11.3.10 CVE IDs: CVE-2026-9082 Description: Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks. This vulnerability can be exploited by anonymous users. This SQL injection vulnerability only affects sites using PostgreSQL . However, the third-party dependency updates in these releases apply to all sites. Updates May 22 2026, 04:30 UTC: The risk score has been updated to reflect that exploit attempts are now being detected in the wild. Upstream security advisories The Drupal releases for supported branches (11.3, 11.2, 10.6, and 10.5) in this advisory also include security updates for Symfony and Twig. Those projects have released important Security Advisories that were coordinated with this Drupal release, and Drupal is affected by some of the vulnerabilities. Depending on your site configuration and contrib modules, you may be vulnerable to one or more of these upstream issues, so updating these dependencies is highly recommended whether the SQL Injection vulnerability affects you or not . It is also recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules. Solution: Install the latest version. Drupal 11 If you use Drupal 11.3.x, update to Drupal 11.3.10 . If you use Drupal 11.2.x, update to Drupal 11.2.12 . If you use Drupal 11.1.

CSIRTS triage

vendor: Drupalproduct: Drupal coreSQL injectionaffected: >= 8.9.0 < 10.4.10 || >= 10.5.0 < 10.5.10 || >= 10.6.0 < 10.6.9 || >= 11.0.0 < 11.1.10 || >= 11.2.0 < 11.2.12 || >= 11.3.0 < 11.3.10
What
A SQL injection vulnerability allows attackers to execute arbitrary SQL queries.
Who is affected
Deployments of affected Drupal versions using PostgreSQL are at risk.
Urgency
Remediation is critical due to active exploitation and high severity.
Action
Upgrade to a patched version of Drupal core.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch Drupal core

Get an email when a new Drupal core advisory drops — max one per day, one-click unsubscribe.

Details

Source
Drupal Security Advisories (INTL · vendor-psirt · site)
Severity
critical
Published
2026-05-20
Exploitation
Observed in the wild (CISA KEV)

Original advisory: https://www.drupal.org/sa-core-2026-004

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-9082coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

Recent advisories for Drupal core -

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from Drupal Security Advisories