CVE-2026-9082

⛔ critical

AI Summary

An actively exploited SQL Injection in Drupal core (versions 8.9.0 through 11.3.10) allows attackers to execute arbitrary SQL commands. This grants full control over the database, leading to data compromise.

Summary

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

CVSS Score

9.8

Critical

EPSS Score

34.2

Exploit Probability

Published Date

2026-05-20

First Seen: 2026-05-21

📊 Relative Risk Intelligence

This CVE is Very High Risk - more severe than 90.5% of all 327,350 vulnerabilities in our database.

#31,115

Top 10% most severe

Severity Percentile

🎯 CISA SSVC Assessment Updated: May 20, 2026

🔍 Exploitation Status

Active

Exploits detected in the wild

⚙️ Automatable

YES

Can be exploited automatically

💥 Technical Impact

Total

Complete system compromise possible

🏆 Discovered By

Michael Maturi (michaelmaturi) Björn Brala (bbrala) (remediation developer) Benji Fisher (benjifisher) (remediation developer) catch (catch) (remediation developer) Lee Rowlands (larowlan) (remediation developer) Dave Long (longwave) (remediation developer) Drew Webber (mcdruid) (remediation developer) Jess (xjm) (remediation developer) Anna Kalata (akalata) (coordinator) Benji Fisher (benjifisher) (coordinator) catch (catch) (coordinator) Damien McKenna (damienmckenna) (coordinator) Neil Drumm (drumm) (coordinator) Greg Knaddison (greggles) (coordinator) Heine Deelstra (heine) (coordinator) Tim Hestenes Lehnen (hestenet) (coordinator) Dave Long (longwave) (coordinator) Drew Webber (mcdruid) (coordinator) Juraj Nemec (poker10) (coordinator) Pierre Rudloff (prudloff) (coordinator) Jess (xjm) (coordinator) Cathy Theys (yesct) (coordinator)

SSVC data provided by CISA

Last Modified 2026-05-22

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE IDs (Weakness Types)

CWE-89

Vendor	Product	Status	Affected Versions
drupal	drupal	Affected	> 8.9.0 < 10.4.10
drupal	drupal	Affected	> 10.5.0 < 10.5.10
drupal	drupal	Affected	> 10.6.0 < 10.6.9
drupal	drupal	Affected	> 11.0.0 < 11.1.10
drupal	drupal	Affected	> 11.2.0 < 11.2.12
drupal	drupal	Affected	> 11.3.0 < 11.3.10

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-6365	🔶 medium	6.1	0.0	Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core...	2026-05-19
CVE-2026-6366	🔶 medium	6.6	0.1	Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow...	2026-05-19
CVE-2026-6367	🔶 medium	6.1	0.0	Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core...	2026-05-19
CVE-2025-13080	🔶 medium	5.3	0.1	Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This i...	2025-11-18
CVE-2025-13081	🔶 medium	5.9	0.2	Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow...	2025-11-18
CVE-2025-13082	🔶 medium	4.3	0.1	User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofin...	2025-11-18

CVE-2026-9082

AI Summary

Summary

📊 Relative Risk Intelligence

🎯 CISA SSVC Assessment Updated: May 20, 2026

📦 Affected Products 6

🔗 References 2

🔗 Related CVEs 6