Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-9082
PUBLISHED
More InfoOfficial Page
Assigner-drupal
Assigner Org ID-2c85b837-eb8b-40ed-9d74-228c62987387
View Known Exploited Vulnerability (KEV) details
Published At-20 May, 2026 | 18:20
Updated At-23 May, 2026 | 03:55
Rejected At-
▼CVE Numbering Authority (CNA)
Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

Affected Products
Vendor
The Drupal AssociationDrupal
Product
Drupal core
Collection URL
https://www.drupal.org/project/drupal
Repo
https://git.drupalcode.org/project/drupal
Default Status
unaffected
Versions
Affected
  • From 8.9.0 before 10.4.10 (semver)
  • From 10.5.0 before 10.5.10 (semver)
  • From 10.6.0 before 10.6.9 (semver)
  • From 11.0.0 before 11.1.10 (semver)
  • From 11.2.0 before 11.2.12 (semver)
  • From 11.3.0 before 11.3.10 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-89CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Type: CWE
CWE ID: CWE-89
Description: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-66CAPEC-66 SQL Injection
CAPEC ID: CAPEC-66
Description: CAPEC-66 SQL Injection
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Michael Maturi (michaelmaturi)
remediation developer
Björn Brala (bbrala)
remediation developer
Benji Fisher (benjifisher)
remediation developer
catch (catch)
remediation developer
Lee Rowlands (larowlan)
remediation developer
Dave Long (longwave)
remediation developer
Drew Webber (mcdruid)
remediation developer
Jess (xjm)
coordinator
Anna Kalata (akalata)
coordinator
Benji Fisher (benjifisher)
coordinator
catch (catch)
coordinator
Damien McKenna (damienmckenna)
coordinator
Neil Drumm (drumm)
coordinator
Greg Knaddison (greggles)
coordinator
Heine Deelstra (heine)
coordinator
Tim Hestenes Lehnen (hestenet)
coordinator
Dave Long (longwave)
coordinator
Drew Webber (mcdruid)
coordinator
Juraj Nemec (poker10)
coordinator
Pierre Rudloff (prudloff)
coordinator
Jess (xjm)
coordinator
Cathy Theys (yesct)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.drupal.org/sa-core-2026-004
N/A
Hyperlink: https://www.drupal.org/sa-core-2026-004
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
kev
dateAdded:
2026-05-22
reference:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-9082
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
CVE-2026-9082 added to CISA KEV2026-05-22 00:00:00
Event: CVE-2026-9082 added to CISA KEV
Date: 2026-05-22 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-9082
government-resource
Hyperlink: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-9082
Resource:
government-resource
Details not found