Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection.

This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.
Published: 2026-05-20
Score: 9.8 Critical
EPSS: 84.6% High
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of special elements in SQL commands in Drupal core permits an attacker to inject arbitrary SQL statements, potentially allowing unauthorized read, modify or delete operations on the database. This flaw is a classic CWE-89 vulnerability that directly compromises confidentiality, integrity and availability of data processed by the application.

Affected Systems

Drupal core versions from 8.9.0 up to, but not including, 10.4.10; 10.5.0 up to, but not including, 10.5.10; 10.6.0 up to, but not including, 10.6.9; 11.0.0 up to, but not including, 11.1.10; 11.2.0 up to, but not including, 11.2.12; and 11.3.0 up to, but not including, 11.3.10 are affected.

Risk and Exploitability

The CVSS score of 9.8 denotes critical severity, while an EPSS of 85% indicates a high probability that the vulnerability will be exploited in the wild. The vulnerability is listed in CISA KEV, underscoring its real‑world risk. Based on the description, the likely attack vector is remote via web input, and exploitation would involve submitting crafted data that is directly incorporated into database queries without proper sanitization.

Generated by OpenCVE AI on June 24, 2026 at 13:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Drupal core to a non‑vulnerable release – upgrade to 10.4.10 or later for the 10.x line, 10.5.10 or later for 10.5.x, 10.6.9 or later for 10.6.x, 11.1.10 or later for 110.x, 11.2.12 or later for 11.2.x, and 11.3.10 or later for 11.3.x.
  • Restrict the database user that the Drupal application uses to the minimum permissions required, removing unnecessary INSERT, UPDATE and DELETE rights.
  • If an immediate upgrade is not possible, deploy a web‑application firewall or input filtering rules that block suspicious SQL patterns and enforce strict validation on all data used in database queries.
  • Continuously monitor application logs and network traffic for signs of attempted SQL injection and review security controls periodically to ensure no new vectors have emerged.

Generated by OpenCVE AI on June 24, 2026 at 13:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ghwc-95x2-682j Drupal Core has a SQL Injection issue
History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal drupal
CPEs cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
Vendors & Products Drupal drupal

Fri, 22 May 2026 19:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 22 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-05-22T00:00:00+00:00', 'dueDate': '2026-05-27T00:00:00+00:00'}

Fri, 22 May 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 22 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Thu, 21 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal drupal Core
Vendors & Products Drupal
Drupal drupal Core

Wed, 20 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.
Title Drupal core - Highly critical - SQL injection - SA-CORE-2026-004
Weaknesses CWE-89
References

Subscriptions

Drupal Drupal Drupal Core
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-05-23T03:55:38.207Z

Reserved: 2026-05-20T13:35:13.119Z

Link: CVE-2026-9082

cve-icon Vulnrichment

Updated: 2026-05-20T19:37:03.431Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-20T20:16:41.230

Modified: 2026-06-17T11:04:48.250

Link: CVE-2026-9082

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T13:30:06Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')