CVE-2026-9082

Confirmed PUBLISHED

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Drupal · Drupal core

1 day faster than CISA KEV

Exploited in the wild Active exploitation observed PoC available Virtual patch available

Recommended Action

Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.

Confidence
Confirmed
Exploitation Status
Active exploitation observed
Observed in Sensors
Yes
Attempts (30d)
28
Unique Attacker IPs
8
CISA KEV
In CISA KEV
Virtual Patch
Yes 3 targets
CVSS / EPSS
9.8 Critical EPSS 84.6%

At a Glance

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

nuclei_scanner cisa drupal
CVE Published
May 20, 2026
Exploitation Reported
Jun 01, 2026
CVSS
9.8 Critical
EPSS
84.6%
Remote Low complexity No user interaction Unauthenticated

Affected Versions

Vendor Product Version Status
Drupal
Drupal core

8.9.0 to < 10.4.10

Affected
Drupal
Drupal core

10.5.0 to < 10.5.10

Affected
Drupal
Drupal core

10.6.0 to < 10.6.9

Affected
Drupal
Drupal core

11.0.0 to < 11.1.10

Affected
Drupal
Drupal core

11.2.0 to < 11.2.12

Affected
Drupal
Drupal core

11.3.0 to < 11.3.10

Affected

CVE References

Recommended Actions

  • Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
  • Review sensor telemetry for request paths, attacker IPs, and payload patterns that may inform detection and exposure validation.
  • Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.