CVE-2026-9082

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-89

Threats tracking this CVE

• Drupal Core Highly Critical SQL Injection in Database Abstraction API (PostgreSQL) — SA-CORE-2026-004 / CVE-2026-9082 — CRITICAL

References

• https://www.drupal.org/sa-core-2026-004

Markdown version · Threadlinqs Intelligence