VDB

ESB-2026.5487

ESB-2026.5487 PUBLISHED CVSS 6.5 MEDIUM

=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2026.5487 Drupal core - Highly critical - SQL injection - SA-CORE-2026-004 21 May 2026 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: Drupal Core Publisher: Drupal Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2026-9082 Original Bulletin: https://www.drupal.org/sa-core-2026-004 Comment: CVSS (Max): 6.5 CVE-2026-9082 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) CVSS Source: CISA-ADP Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N EPSS (Max): None available when published - --------------------------BEGIN INCLUDED TEXT-------------------- Project: Drupal core Date: 2026-May-20 Security risk: Highly critical 20 ∕ 25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon Vulnerability: SQL injection CVE IDs: CVE-2026-9082Affected versions: >= 8.9.0 < 10.4.10 || >= 10.5.0 < 10.5.10 || >= 10.6.0 < 10.6.9 || >= 11.0.0 < 11.1.10 || >= 11.2.0 < 11.2.12 || >= 11.3.0 < 11.3.10 Description: Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks. This vulnerability can be exploited by anonymous users. This SQL injection vulnerability only affects sites using PostgreSQL . However, the third-party dependency updates in these releases apply to all sites. Upstream security advisories The Drupal releases for supported branches (11.3, 11.2, 10.6, and 10.5) in this advisory also include security updates for Symfony and Twig. Those projects have released important Security Advisories that were coordinated with this Drupal release, and Drupal is affected by some of the vulnerabilities. Depending on your site configuration and contrib modules, you may be vulnerable to one or more of these upstream issues, so updating these dependencies is highly recommended whether the SQL Injection vulnerability affects you or not . It is also recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules. Solution: Install the latest version. The following releases will be available as soon as automated release packaging is complete. You may receive a 404 in the interim. The updates may also be available on Packagist sooner. Drupal 11 o If you use Drupal 11.3.x, update to Drupal 11.3.10 . o If you use Drupal 11.2.x, update to Drupal 11.2.12 . o If you use Drupal 11.1.x or 11.0.x, update to Drupal 11.1.10 . Drupal 10 o If you use Drupal 10.6.x, update to Drupal 10.6.9 . o If you use Drupal 10.5.x, update to Drupal 10.5.10 . o If you use Drupal 10.4.x or earlier, update to Drupal 10.4.10 . Drupal 9 and 8 o If you use any version of Drupal 9, try manually applying the Drupal 9.5 patch for this issue . o If you use Drupal 8.9, try manually applying the Drupal 8.9 patch for this issue . Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.) Due to this issue's severity, the unsupported releases and patches for unsupported versions are provided as a best effort. Those unsupported versions will still have other, previously disclosed security vulnerabilities. Reported By: o Michael Maturi (michaelmaturi) Fixed By: o Bjorn Brala (bbrala) o Benji Fisher (benjifisher) of the Drupal Security Team o catch (catch) of the Drupal Security Team o Lee Rowlands (larowlan) of the Drupal Security Team o Dave Long (longwave) of the Drupal Security Team o Drew Webber (mcdruid) of the Drupal Security Team o Jess (xjm) of the Drupal Security Team Coordinated By: o Anna Kalata (akalata) of the Drupal Security Team o Benji Fisher (benjifisher) of the Drupal Security Team o catch (catch) of the Drupal Security Team o Damien McKenna (damienmckenna) of the Drupal Security Team o Neil Drumm (drumm) of the Drupal Security Team o Greg Knaddison (greggles) of the Drupal Security Team o Heine Deelstra (heine) of the Drupal Security Team o Tim Hestenes Lehnen (hestenet) o Dave Long (longwave) of the Drupal Security Team o Drew Webber (mcdruid) of the Drupal Security Team o Juraj Nemec (poker10) of the Drupal Security Team o Pierre Rudloff (prudloff) of the Drupal Security Team o Jess (xjm) of the Drupal Security Team o Cathy Theys (yesct) of the Drupal Security Team - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AUSCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write the document quoted above, AUSCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AUSCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://portal.auscert.org.au/bulletins/ =========================================================================== AUSCERT The University of Queensland, Brisbane QLD 4072 Australia e: auscert@auscert.org.au t: +61 (0)7 3365 4417 Allies in Cyber Security ===========================================================================

Risk Scores

CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersions
DrupalDrupal Core

Timeline

  • May 21, 2026 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›