Main Vulnerability Database Vulnerabilities #VU132032

SQL injection in Drupal - CVE-2026-9082

Published: May 21, 2026

Vulnerability identifier: #VU132032

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-9082

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Drupal

Affected software:
Drupal

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary SQL queries.

The vulnerability exists due to improper input validation in the database abstraction API when handling specially crafted requests. A remote attacker can send a specially crafted request to perform arbitrary SQL injection.

Only sites using PostgreSQL databases are vulnerable. Anonymous exploitation is possible. Successful exploitation can lead to information disclosure and, in some cases, privilege escalation or remote code execution.

How to mitigate CVE-2026-9082

Install security update from vendor's website.

Sources

https://www.drupal.org/sa-core-2026-004

SQL injection in Drupal - CVE-2026-9082

Detailed vulnerability description

How to mitigate CVE-2026-9082

Sources

Please verify you're human