Detections
Analytics
Drupal 11.1.x < 11.1.10 SQL Injection
medium Web App Scanning Plugin ID 115247
Language:
Synopsis
Drupal 11.1.x < 11.1.10 SQL InjectionDescription
According to its self-reported version number, the detected Drupal application is affected by a SQL injection vulnerability. A flaw in Drupal's database abstraction API permits attackers to craft requests that result in arbitrary SQL injection on sites running PostgreSQL. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks. The vulnerability can be exploited by anonymous users. Note that this SQL injection vulnerability only affects sites using PostgreSQL.Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update to Drupal version 11.1.10 or latest.See Also
Plugin Details
Severity: Medium
ID: 115247
Type: Version Based
Family: Component Vulnerability
Published: 5/22/2026
Updated: 5/22/2026
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: Medium
Score: 5.6
CVSS v2
Risk Factor: Medium
Base Score: 6.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS Score Source: CVE-2026-9082
CVSS v3
Risk Factor: Medium
Base Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS Score Source: CVE-2026-9082
Vulnerability Information
CPE: cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Vulnerability Publication Date: 5/18/2026
Reference Information
CVE: CVE-2026-9082
CWE: 89
OWASP: 2010-A1, 2013-A1, 2013-A9, 2017-A1, 2017-A9, 2021-A3, 2021-A6, 2025-A5, 2025-A6
WASC: SQL Injection
CAPEC: 108, 109, 110, 470, 66, 7
DISA STIG: APSC-DV-002540, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-CM-6b, sp800_53-SI-10
OWASP API: 2019-API7, 2019-API8, 2023-API8
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.3.4