AIKIDO-2026-10862

drupal/core is vulnerable to SQL Injection

SQL InjectionCVE-2026-9082 Published May 21, 2026

Critical Risk

This Affects:

drupal/core

8.9.0 - 10.4.9

Fixed in 10.4.10

10.5.0 - 10.5.9

Fixed in 10.5.10

10.6.0 - 10.6.8

Fixed in 10.6.9

11.0.0 - 11.1.9

Fixed in 11.1.10

11.2.0 - 11.2.11

Fixed in 11.2.12

11.3.0 - 11.3.9

Fixed in 11.3.10

Are you affected? Scan for Free

TL;DR

Drupal core's database abstraction API does not sufficiently prevent SQL injection in some PostgreSQL query handling. An anonymous attacker can send specially crafted requests that result in arbitrary SQL injection on affected PostgreSQL-backed sites. Pre-fix sites can expose non-public data, allow privilege escalation, remote code execution, or other database-driven compromise. The fix updates Drupal core's database handling and ships in the listed security releases.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your site uses PostgreSQL.

Background info

drupal/core is vulnerable to SQL Injection in versions 8.9.0 - 10.4.9, 10.5.0 - 10.5.9, 10.6.0 - 10.6.8, 11.0.0 - 11.1.9, 11.2.0 - 11.2.11 and 11.3.0 - 11.3.9.