Secure Cyber Vulnerability Management

25/05/2026
Qualys-Threat-Protect

Drupal Core SQL injection Vulnerability Added to CISA KEV (CVE-2026-9082)

by Deepanshu Jha

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a Drupal Core active exploited vulnerability to its Known Exploited Vulnerabilities catalog. Tracked as CVE-2026-9082, successful exploitation of the vulnerability may allow an attacker to elevate privileges and execute code remotely. CISA urged users to patch the vulnerability before May 27, 2026.

Drupal mentioned in the advisory that exploit attempts are now being detected in the wild.

Drupal Core is the foundational, stock codebase of the Drupal content management platform. It provides the essential framework, PHP scripts, and default architectural features required to boot up the system and run a website.

Vulnerability Details

Drupal core includes a database abstraction API that sanitizes database queries to prevent SQL injection attacks. The vulnerability existing in this API may allow an attacker to send specially crafted requests that can lead to arbitrary SQL injection for sites using PostgreSQL databases. Successful exploitation of the vulnerability can lead to information disclosure and, in some cases, to privilege escalation, remote code execution, or other attacks.

This vulnerability can be exploited by anonymous users.

This SQL injection vulnerability only affects sites using PostgreSQL. However, the third-party dependency updates in these releases apply to all sites.

Affected Versions

The vulnerability affects the following Drupal versions:

  • Drupal 11.3.x before Drupal 11.3.10
  • Drupal 11.2.x before Drupal 11.2.12
  • Drupal 11.1.x before Drupal 11.1.10
  • Drupal 10.6.x before Drupal 10.6.9
  • Drupal 10.5.x before Drupal 10.5.10
  • Drupal 10.4.x before Drupal 10.4.10
  • Drupal 9 before Drupal 9.5
  • Drupal 8.9, before Drupal 8.9

Mitigation

Users must upgrade to the following versions to patch the vulnerability:

  • Drupal 11.3.10
  • Drupal 11.2.12
  • Drupal 11.1.10
  • Drupal 10.6.9
  • Drupal 10.5.10
  • Drupal 10.4.10
  • Drupal 9.5 (Manual patching required)
  • Drupal 8.9 (Manual patching required)

For more information, please refer to the Drupal Security Advisory (SA-CORE-2026-004).

Qualys Detection

Qualys customers can scan their devices with QID 734308 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://www.drupal.org/SA-CORE-2026-004

Comments are closed.

You may also like