The vulnerability is an improper neutralization of special elements used in an SQL command, commonly known as SQL injection, in Drupal core. The flaw allows an attacker to inject arbitrary SQL statements into database queries, potentially leading to full data disclosure, data modification, or denial of service. It is identified as CWE‑89, reflecting a failure to properly validate or encode user input before its inclusion in an SQL command.

Drupal core is affected across multiple major releases. The vulnerable versions include 8.9.0 through the build prior to 10.4.10, 10.5.0 through before 10.5.10, 10.6.0 through before 10.6.9, 11.0.0 through before 11.1.10, 11.2.0 through before 11.2.12, and 11.3.0 through before 11.3.10. All these versions share the same injection flaw and must be updated to the corresponding non‑vulnerable releases.

No EPSS data or KEV listing is available, but the repository state and the nature of SQL injection suggest a high likelihood of exploitation once the affected software is publicly exposed. The CVSS score is 6.5, indicating medium severity, yet the impact of remote code execution or data compromise makes the risk significant. It is inferred that an attacker could exploit this vector by submitting crafted input through any user‑controllable parameter that is interpolated into SQL statements, such as form fields, query strings, or administrative interfaces, without additional authentication.