CVE-2026-9082CRITICAL 9.8CISA KEVEPSS p98.2%

CVE-2026-9082Drupal Core SQL Injection Vulnerability

Drupal / Core

Description

Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS33.66% probability of exploitation · percentile 98.2% · 2026-06-18T12:00:27Z
Published2026-05-20
Last modified2026-05-22

CISA KEV entry

Added to KEV: 2026-05-22

Underlying weaknesses· 1

CWE-89

References

  1. https://www.drupal.org/sa-core-2026-004
  2. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-9082

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryDrupal Core SQL Injection Vulnerabilitykev-cve-2026-90820%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
Drupal Core Remote Code Execution Vulnerability
CVE
CVE-2026-21262
CVE
CVE-2026-34018
CVE
CVE-2025-28982
CVE
CVE-2026-42672
CVE
CVE-2026-3326
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.