Main Vulnerability Database SB2026052116

SB2026052116 - SQL injection in Drupal API

Published: May 21, 2026

Security Bulletin ID SB2026052116

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) SQL injection (CVE-ID: CVE-2026-9082)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary SQL queries.

The vulnerability exists due to improper input validation in the database abstraction API when handling specially crafted requests. A remote attacker can send a specially crafted request to perform arbitrary SQL injection.

Only sites using PostgreSQL databases are vulnerable. Anonymous exploitation is possible. Successful exploitation can lead to information disclosure and, in some cases, privilege escalation or remote code execution.

Remediation

Install update from vendor's website.

References

https://www.drupal.org/sa-core-2026-004