Vulnerability intelligence
CVE-2026-9082
Drupal Core SQL Injection Vulnerability
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.
CVSS Score
9.8
Critical
EPSS — Exploit Probability
85%
Riskier than 100% of all CVEs
Exploitation
Confirmed in the wild
Used in ransomware campaigns
Remediation
unknown
Federal deadline 2026-05-27
CISA required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Deadline for federal agencies: 2026-05-27.
8 articles across 5 outlets · first covered May 21, 2026 · latest May 25, 2026
Tracked incidents
Coverage timeline
-
Poisoned Code: Stealthy Malicious Go Module Backdoor Discovered in Long-Running Typosquatsecurityonline.info · May 25, 2026
-
Drupal SQL Injection Bug Exploited Live, Extortion Tactics Surgesecurityaffairs.com · May 24, 2026
-
CISA adds Drupal SQL flaw CVE-2026-9082 to KEV cataloguesecurityaffairs.com · May 24, 2026
-
Critical Drupal SQLi flaw exposes thousands of PostgreSQL sitessecurityaffairs.com · May 23, 2026
-
CISA Flags Drupal SQL Injection Flaw CVE-2026-9082 in KEV Catalogwww.cisa.gov · May 22, 2026
-
Drupal Core Critical Flaw CVE-2026-9082 Allows RCEcisa.gov · May 22, 2026
-
Drupal Critical SQL Flaw CVE-2026-9082 Prompts Urgent Patchwww.securityweek.com · May 22, 2026
-
Drupal patches PostgreSQL SQL injection flaw CVE-2026-9082www.securityweek.com · May 21, 2026