CVE Catalog

CVE-2026-9082

Critical
Published: Translated: NVD NIST

Summary

A SQL Injection vulnerability in Drupal core is caused by improper neutralization of special elements used in SQL commands. This affects versions from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, and from 11.3.0 before 11.3.10.

Risk Assessment

An attacker could exploit this vulnerability to execute unauthorized SQL commands, potentially leading to data exposure or system compromise. Organizations should be aware of the risks associated with outdated Drupal versions.

Recommendation

It is recommended to upgrade to the latest version of Drupal to mitigate this vulnerability. Regular monitoring and updating of systems is crucial for maintaining security.

Original NVD description (English source)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS