Critical unauthenticated SQL injection vulnerability in Drupal core affecting installations using PostgreSQL databases. Allows direct remote exploitation of internet-facing Drupal websites for full database access and potential remote code execution.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2026-05-20
Added to CISA KEV: 2026-05-22 2 DAYS BETWEEN CVE AND KEV
Vulnerability details. At the core of CVE-2026-9082 is a breakdown in how external input is sanitized before reaching the database abstraction layer.Site administrators should immediately cross-reference their current deployments with the official Drupal security advisory (SA-CORE-2026-004) and update their core installations to the designated patch releases across all supported branches (Drupal 10 and 11). The vulnerable versions include ... Learn how the complex Drupal SQLi vulnerability (CVE-2026-9082) exploits PostgreSQL environments and its data theft risks — and how to ... ... Details have emerged regarding a highly complex SQL injection (SQLi) vulnerability that is impacting Drupal core. It is officially tracked as CVE-2026-9082 and detailed in the vendor advisory SA-CORE-2026-004.
CVE-2026-9082 is a highly critical SQL injection in Drupal core affecting PostgreSQL sites. Patches available. Unauthenticated exploitation ... ... CVE-2026-9082: Critical Drupal Core SQL Injection Vulnerability | Tenable® Published: 2026-05-21 CVE-2026-9082 is a highly critical SQL injection in Drupal core affecting PostgreSQL sites. Patches available. Unauthenticated exploitation possible.
Drupal Core contains a highly critical SQL injection vulnerability (CVE-2026-9082) within its Database Abstraction API. The flaw specifically affects installations using the PostgreSQL database backend, allowing unauthenticated attackers to execute arbitrary SQL commands via crafted array keys in filter parameters. ... CVE-2026-9082 is an unauthenticated SQL Injection (CWE-89) vulnerability residing within the core architecture of Drupal. It specifically affects installations utilizing the PostgreSQL database backend. Deployments running MySQL, MariaDB, and SQLite remain unaffected by this specific attack vector due to differences in database driver implementation and syntax handling.
The vulnerability is an improper neutralization of special elements used in an SQL command, commonly known as SQL injection, in Drupal core. The flaw allows an attacker to inject arbitrary SQL statements into database queries, potentially leading to full data disclosure, data modification, or denial of service. It is identified as CWE‑89, reflecting a failure to properly validate or encode ...
Microsoft Windows Buffer Overflow Vulnerability: Microsoft Windows contains a buffer overflow vulnerability in the Windows Server Service that allows remote ...