Active Exploitation of Critical SQL Injection Vulnerability in Drupal Core

CVE-2026-9082 is under active exploitation and could allow for remote code execution

Threat ID:: CC-4788
Threat Severity:: High
Published:: 21 May 2026 12:36 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CVE-2026-9082 is under active exploitation and could allow for remote code execution

Affected platforms

The following platforms are known to be affected:

Drupal

All versions, including end-of-life versions, are affected.

Threat details

Active exploitation of CVE‑2026‑9082

Drupal has confirmed exploitation attempts of CVE‑2026‑9082 in the wild. CVE‑2026‑9082 has been added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog.

The NHS England National CSOC assesses further exploitation as almost certain.

Introduction

Drupal have released a security update to address a critical severity vulnerability in Drupal Core. An anonymous user could send specially crafted API requests to exploit the vulnerability leading to information disclosure, and in some cases privilege escalation or remote code execution (RCE).

CVE‑2026‑9082 – "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" vulnerability – CVSS v3.1 score of 9.8

Threat updates

Date	Update
26 May 2026	Escalated to High severity following active exploitation of CVE‑2026‑9082 The following sections have been updated: Title Severity Summary Emphasis Box Introduction Remediation Introduction Remediation Steps

Date

Update

26 May 2026

Escalated to High severity following active exploitation of CVE‑2026‑9082

The following sections have been updated:

Title
Severity
Summary
Emphasis Box
Introduction
Remediation Introduction
Remediation Steps

Remediation advice

Affected organisations must review the Drupal core - Highly critical - SQL injection - SA-CORE-2026-004 advisory and apply the relevant updates as soon as possible.

Note: Organisations using end-of-life versions must upgrade to a supported version.

Remediation steps

Type	Step
Patch	Required: Update to a fixed version Drupal 11 If you use Drupal 11.3.x, update to Drupal 11.3.10. If you use Drupal 11.2.x, update to Drupal 11.2.12. If you use Drupal 11.1.x or 11.0.x, update to Drupal 11.1.10. Drupal 10 If you use Drupal 10.6.x, update to Drupal 10.6.9. If you use Drupal 10.5.x, update to Drupal 10.5.10. If you use Drupal 10.4.x or earlier, update to Drupal 10.4.10. Drupal 9 and 8 Drupal 8.x and 9.x are end-of-life. Organisations using end-of-life versions must upgrade to a supported version, due to other disclosed security vulnerabilities in these versions. https://www.drupal.org/sa-core-2026-004

Type

Step

Patch

Required: Update to a fixed version

Drupal 11

If you use Drupal 11.3.x, update to Drupal 11.3.10.
If you use Drupal 11.2.x, update to Drupal 11.2.12.
If you use Drupal 11.1.x or 11.0.x, update to Drupal 11.1.10.

Drupal 10

If you use Drupal 10.6.x, update to Drupal 10.6.9.
If you use Drupal 10.5.x, update to Drupal 10.5.10.
If you use Drupal 10.4.x or earlier, update to Drupal 10.4.10.

Drupal 9 and 8

Drupal 8.x and 9.x are end-of-life. Organisations using end-of-life versions must upgrade to a supported version, due to other disclosed security vulnerabilities in these versions.

https://www.drupal.org/sa-core-2026-004

Definitive source of threat updates

https://www.drupal.org/sa-core-2026-004

CVE Vulnerabilities

Status Published

CVE-2026-9082

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

Last edited: 26 May 2026 11:31 am