CVE-2026-9082 is a highly critical SQL injection in Drupal core affecting PostgreSQL sites. Patches available. Unauthenticated exploitation possible.

CVE-2026-9082: Critical Drupal Core SQL Injection Vulnerability | Tenable®

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

This highly critical vulnerability in Drupal sites using PostgreSQL is under active exploitation. Patches are available and should be applied as soon as possible.

A highly critical vulnerability in Drupal sites using PostgreSQL that could be exploited by an anonymous attacker. We are monitoring for PoCs and exploit attempts.

Drupal is releasing a critical severity update on May 20. The advisory warns that exploits may be developed within hours or days. Patching should be preformed asap.

Drupal versions 8.9.x, 9.x, 10.4.0 < 10.4.10, 10.5.0 < 10.5.10, 10.6.0 < 10.6.9, 11.0.0 < 11.1.10, 11.2.0 < 11.2.12 and 11.3.0 < 11.3.10 suffer from a SQL injection vulnerability in the database abstraction API. An unauthenticated, remote attacker can send specially crafted requests to perform arbitrary SQL injection on PostgreSQL-based sites, resulting in information disclosure, and in some cases privilege escalation or remote code execution.

According to its self-reported version number, the detected Drupal application is affected by a SQL injection vulnerability. A flaw in Drupal's database abstraction API permits attackers to craft requests that result in arbitrary SQL injection on sites running PostgreSQL. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks. The vulnerability can be exploited by anonymous users. Note that this SQL injection vulnerability only affects sites using PostgreSQL.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the instance of Drupal running on the remote web server is 10.x prior to 10.4.10, 10.5.x prior to 10.5.10, 10.6.x prior to 10.6.9, 11.1.x prior to 11.1.10, 11.2.x prior to 11.2.12, or 11.3.x prior to 11.3.10. It is, therefore, affected by a vulnerability.

  - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in     Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from     10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12,     from 11.3.0 before 11.3.10. (CVE-2026-9082)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
115251	Drupal JSONAPI SQL Injection	Web App Scanning	Component Vulnerability	medium
115250	Drupal < 10.4.10 SQL Injection	Web App Scanning	Component Vulnerability	medium
115249	Drupal 10.5.x < 10.5.10 SQL Injection	Web App Scanning	Component Vulnerability	medium
115248	Drupal 10.6.x < 10.6.9 SQL Injection	Web App Scanning	Component Vulnerability	medium
115247	Drupal 11.1.x < 11.1.10 SQL Injection	Web App Scanning	Component Vulnerability	medium
115246	Drupal 11.2.x < 11.2.12 SQL Injection	Web App Scanning	Component Vulnerability	medium
115245	Drupal 11.3.x < 11.3.10 SQL Injection	Web App Scanning	Component Vulnerability	medium
315939	Drupal 10.x < 10.4.10 / 10.5.x < 10.5.10 / 10.6.x < 10.6.9 / 11.1.x < 11.1.10 / 11.2.x < 11.2.12 / 11.3.x < 11.3.10 Drupal Vulnerability (SA-CORE-2026-004)	Nessus	CGI abuses	medium

Detections

Analytics

CVE-2026-9082

medium

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium

medium