All CVEs
Vulnerability intelligence

CVE-2026-9082

Drupal Core SQL Injection Vulnerability

Drupal Core CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

CVSS Score
9.8
Critical
EPSS — Exploit Probability
85%
Riskier than 100% of all CVEs
Exploitation
Confirmed in the wild
Used in ransomware campaigns
Remediation
unknown
Federal deadline 2026-05-27
CISA required action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Deadline for federal agencies: 2026-05-27.

NVD entry PoC / advisory CISA KEV

8 articles across 5 outlets · first covered May 21, 2026 · latest May 25, 2026

Tracked incidents

Coverage timeline