Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection.

This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.
Published: 2026-05-20
Score: 9.8 Critical
EPSS: 10.4% Moderate
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of special elements used in an SQL command was identified in Drupal core, allowing an attacker to inject arbitrary SQL statements through unvalidated user input. The flaw can be exploited by manipulating inputs that are incorporated directly into database queries, exposing the database to unintended commands. This vulnerability is a classic example of CWE‑89 (SQL Injection).

Affected Systems

Drupal core versions affected include 8.9.0 through just before 10.4.10, 10.5.0 through just before 10.5.10, 10.6.0 through just before 10.6.9, 11.0.0 through just before 11.1.10, 11.2.0 through just before 11.2.12, and 11.3.0 through just before 11.3.10.

Risk and Exploitability

The CVSS score of 9.8 indicates high severity. The EPSS score of 10% indicates a moderate probability of exploitation, and the vulnerability is listed in KEV. Based on the description, the likely attack vector is remote via web input where sufficient privileges are granted in the Drupal application. Exploitation would involve submitting crafted input that bypasses proper escaping in SQL queries without additional authentication or configuration steps.

Generated by OpenCVE AI on June 7, 2026 at 16:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Drupal core to a non‑vulnerable release (e.g., 10.4.10 or newer for the 10.x line, 10.5.10 or newer for 10.5.x, 10.6.10 or newer for 10.6.x, 11.1.10 or newer for 11.0.x, 11.2.12 or newer for 11.2.x, 11.3.10 or newer for 11.3.x).
  • Configure the database user that the Drupal application uses to run with the least privileges required; remove unnecessary INSERT, UPDATE, and DELETE permissions.
  • If an immediate upgrade is not achievable, deploy a web application firewall or request‑filtering rules that block suspicious SQL patterns and restrict access to the affected modules until a patch is applied.

Generated by OpenCVE AI on June 7, 2026 at 16:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal drupal
CPEs cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
Vendors & Products Drupal drupal

Fri, 22 May 2026 19:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 22 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-05-22T00:00:00+00:00', 'dueDate': '2026-05-27T00:00:00+00:00'}

Fri, 22 May 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 22 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Thu, 21 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal drupal Core
Vendors & Products Drupal
Drupal drupal Core

Wed, 20 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.
Title Drupal core - Highly critical - SQL injection - SA-CORE-2026-004
Weaknesses CWE-89
References

Subscriptions

Drupal Drupal Drupal Core
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-05-23T03:55:38.207Z

Reserved: 2026-05-20T13:35:13.119Z

Link: CVE-2026-9082

cve-icon Vulnrichment

Updated: 2026-05-20T19:37:03.431Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-20T20:16:41.230

Modified: 2026-05-22T19:38:04.930

Link: CVE-2026-9082

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:45:04Z

Weaknesses