Detections
Analytics
Drupal 10.x < 10.4.10 / 10.5.x < 10.5.10 / 10.6.x < 10.6.9 / 11.1.x < 11.1.10 / 11.2.x < 11.2.12 / 11.3.x < 11.3.10 Drupal Vulnerability (SA-CORE-2026-004)
medium Nessus Plugin ID 315939
Synopsis
A PHP application running on the remote web server is affected by a vulnerability.Description
According to its self-reported version, the instance of Drupal running on the remote web server is 10.x prior to 10.4.10, 10.5.x prior to 10.5.10, 10.6.x prior to 10.6.9, 11.1.x prior to 11.1.10, 11.2.x prior to 11.2.12, or 11.3.x prior to 11.3.10. It is, therefore, affected by a vulnerability.- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10. (CVE-2026-9082)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Drupal version 10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10 or later.See Also
https://www.drupal.org/sa-core-2026-004
https://symfony.com/blog/category/security-advisories
http://www.nessus.org/u?a60fceaa
http://www.nessus.org/u?d618ed34
https://www.drupal.org/project/drupal/releases/10.4.10
https://www.drupal.org/project/drupal/releases/10.5.10
https://www.drupal.org/project/drupal/releases/10.6.9
https://www.drupal.org/project/drupal/releases/11.1.10
https://www.drupal.org/project/drupal/releases/11.2.12
https://www.drupal.org/project/drupal/releases/11.3.10
Plugin Details
Severity: Medium
ID: 315939
File Name: drupal_11_3_10.nasl
Version: 1.1
Type: Remote
Family: CGI abuses
Published: 5/20/2026
Updated: 5/20/2026
Configuration: Enable paranoid mode, Enable thorough checks (optional)
Supported Sensors: Nessus
Risk Information
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 5.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2026-9082
CVSS v3
Risk Factor: Medium
Base Score: 6.5
Temporal Score: 5.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:drupal:drupal
Required KB Items: installed_sw/Drupal, Settings/ParanoidReport
Exploit Ease: No known exploits are available
Patch Publication Date: 5/20/2026
Vulnerability Publication Date: 5/19/2026
Reference Information
CVE: CVE-2026-9082