CVE-2026-9082
Actively exploited. CVE-2026-9082 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2026-05-22) — exploitation has been observed in the wild, and US federal agencies are required to remediate it under BOD 22-01. Treat patching as urgent.
Public exploit code is available. Proof-of-concept or working exploit code for CVE-2026-9082 is indexed in Exploit-DB, GitHub PoC and Nuclei. Expect opportunistic scanning and exploitation attempts — prioritize remediation.
Project: Drupal core Date: 2026-May-20 Security risk: Highly critical 23 ∕ 25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:Uncommon Vulnerability: SQL injection Affected versions: >= 8.9.0 < 10.4.10 || >= 10.5.0 < 10.5.10 || >= 10.6.0 < 10.6.9 || >= 11.0.0 < 11.1.10 || >= 11.2.0 < 11.2.12 || >= 11.3.0 < 11.3.10 CVE IDs: CVE-2026-9082 Description: Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks. This vulnerability can be exploited by anonymous users. This SQL injection vulnerability only affects sites using PostgreSQL . However, the third-party dependency updates in these releases apply to all sites. Updates May 22 2026, 04:30 UTC: The risk score has been updated to reflect that exploit attempts are now being detected in the wild. Upstream security advisories The Drupal releases for supported branches (11.3, 11.2, 10.6, and 10.5) in this advisory also include security updates for Symfony and Twig. Those projects have released important Security Advisories that were coordinated with this Drupal release, and Drupal is affected by some of the vulnerabilities. Depending on your site configuration and contrib modules, you may be vulnerable to one or more of these upstream issues, so updating these dependencies is highly recommended whether the SQL Injection vulnerability affects you or not . It is also recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules. Solution: Install the latest version. Drupal 11 If you use Drupal 11.3.x, update to Drupal 11.3.10 . If you use Drupal 11.2.x, update to Drupal 11.2.12 . If you use Drupal 11.1.
CSIRTS triage
- What
- A SQL injection vulnerability allows attackers to execute arbitrary SQL queries.
- Who is affected
- Deployments of affected Drupal versions using PostgreSQL are at risk.
- Urgency
- Remediation is critical due to active exploitation and high severity.
- Action
- Upgrade to a patched version of Drupal core.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2026-9082
Get an email if CVE-2026-9082 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Exploitation confirmedAlready exploited in the wild (CISA KEV) — the prediction phase is over. Patch now. Riskier than 100% of all EPSS-scored CVEs.
Exploit availability
Public exploit or proof-of-concept code for CVE-2026-9082 is indexed in these free datasets. Available exploit code raises real-world risk independent of the CVSS score.
- Exploit-DBA public exploit is published in the Exploit-DB archive.look it up ↗
- GitHub PoCPublic proof-of-concept repositories on GitHub reference this CVE.look it up ↗
- NucleiA nuclei-templates detection/PoC template exists for this CVE.look it up ↗
Advisory coverage (2)
- criticalexploitedCVE-2026-9082: Drupal Core SQL Injection Vulnerabilitycisa-kev · 2026-05-22
- criticalexploitedDrupal core - Highly critical - SQL injection - SA-CORE-2026-004drupal · 2026-05-20
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-9082)