CRITICALCVE-2026-9082Published 2026-05-20Modified 2026-05-23CNA drupal

CVE-2026-9082: Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: 10.4.10
Affected Products: 1

Fix available

10.4.1010.5.1010.6.911.1.1011.2.1211.3.10

Affected packages

Drupal / Drupal core
< 10.4.10 (from 8.9.0) · < 10.5.10 (from 10.5.0) · < 10.6.9 (from 10.6.0) · < 11.1.10 (from 11.0.0) · < 11.2.12 (from 11.2.0) · < 11.3.10 (from 11.3.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

drupal.org

Metrics

Fix available