Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.
CISA Known Exploited Vulnerability
Date added 2026-05-22 | Due date 2026-05-27
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Problem types
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Product status
8.9.0 (semver) before 10.4.10
10.5.0 (semver) before 10.5.10
10.6.0 (semver) before 10.6.9
11.0.0 (semver) before 11.1.10
11.2.0 (semver) before 11.2.12
11.3.0 (semver) before 11.3.10
Credits
Michael Maturi (michaelmaturi)
Björn Brala (bbrala)
Benji Fisher (benjifisher)
catch (catch)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Jess (xjm)
Anna Kalata (akalata)
Benji Fisher (benjifisher)
catch (catch)
Damien McKenna (damienmckenna)
Neil Drumm (drumm)
Greg Knaddison (greggles)
Heine Deelstra (heine)
Tim Hestenes Lehnen (hestenet)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Pierre Rudloff (prudloff)
Jess (xjm)
Cathy Theys (yesct)
References
www.cisa.gov/...nerabilities-catalog?field_cve=CVE-2026-9082
www.drupal.org/sa-core-2026-004