CVE-2026-9082: Drupal Core

What is CVE-2026-9082?

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

CVSS9.8 NVD 3.1

SeverityCRITICAL

Exploitation In the wild In CISA KEV

EPSS10% · P93

Triage statusActive Exploit

ActionPatch immediately

CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD published2026-05-20

NVD last modified2026-05-22

CISA Known Exploited Vulnerability

Drupal Core SQL Injection Vulnerability

Added to KEV2026-05-22

Federal patch deadline2026-05-27

Known ransomware useUnknown

Affected product

Drupal Core

Remediation Steps

Update all supported Drupal Core versions to the latest patched release immediately
Review database query logs for evidence of SQL injection attempts
Ensure database user accounts are restricted to minimum required privileges
Monitor for malicious activity on systems running affected Drupal versions

References

Coverage on defend.network

Vulnerability Priority Report – Week 2 of June 2026 (June 8 – 14)
Vulnerability Priority Report – Week 1 of June 2026 (June 1 – 7)
Vulnerability Priority Report – Week 22 of May 2026 (May 25 – 31)
GitHub, npm, and Drupal under attack: supply-chain threats and active CVE exploitation (2026-05-24)
GitHub supply-chain attack, Drupal RCE, AWS GovCloud credential leak (2026-05-23)
Critical RCEs: Microsoft Defender, Linux kernel, Cisco Workload; Showboat targets telcos (2026-05-22)

🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.