CVE-2026-9082

EUVD-2026-31153
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection.

This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Affected Products (NVD)
VendorProductVersion
drupaldrupal
8.9.0 ≤
𝑥
< 10.4.10
drupaldrupal
10.5.0 ≤
𝑥
< 10.5.10
drupaldrupal
10.6.0 ≤
𝑥
< 10.6.9
drupaldrupal
11.0.0 ≤
𝑥
< 11.1.10
drupaldrupal
11.2.0 ≤
𝑥
< 11.2.12
drupaldrupal
11.3.0 ≤
𝑥
< 11.3.10
𝑥
= Vulnerable software versions