Alerts
Critical Vulnerability in Drupal Core
26 May 2026
Drupal security team has released a security update to address a critical Structured Query Language (SQL) Injection vulnerability in Drupal core affecting multiple supported branches. Users and administrators of affected versions are advised to update to the latest patched versions immediately.
Background
Drupal provides building blocks for websites and applications, such as user account management, content structures, security, and APIs for developers to build custom experiences. Drupal security team has released a security update to address a critical Structured Query Language (SQL) Injection vulnerability (CVE-2026-9082) identified in Drupal core.
This vulnerability has a Common Vulnerability Scoring System (CVSS v3.1) score of 9.8 out of 10.
Impact
Successful exploitation of this SQL injection vulnerability allows an unauthenticated attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilage escalation, remote code execution, or other attacks.
Known Exploitation
This vulnerability is reportedly being actively exploited.
Affected Products
This vulnerability affects Drupal core versions:
from 8.9.0 before 10.4.10
from 10.5.0 before 10.5.10
from 10.6.0 before 10.6.9
from 11.0.0 before 11.1.10
from 11.2.0 before 11.2.12
from 11.3.0 before 11.3.10
Recommendation
Users and administrators of affected versions are advised to update to the latest patched versions immediately.
References
https://www.drupal.org/sa-core-2026-004
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://nvd.nist.gov/vuln/detail/CVE-2026-9082
https://thehackernews.com/2026/05/drupal-core-sql-injection-bug-actively.html