Drupal core SQLi actively exploited (CVE-2026-9082) [PoC]
CVE-2026-9082
CVE-2026-9082: Actively exploited SQL injection in Drupal core 8.9.0-11.3.9 lets unauthenticated attackers extract database contents. Update to patched versions listed.
Actively exploited in the wild - CVE-2026-9082 is a medium SQL injection vulnerability in Drupal core versions 8.9.0 through 11.3.9 that lets unauthenticated attackers extract arbitrary database contents. Patches are available for all affected branches; update immediately.
Overview
CVE-2026-9082 is an improper neutralization of special elements used in an SQL command (SQL injection) vulnerability in Drupal core. The flaw allows an attacker with network access to inject malicious SQL queries without requiring authentication or user interaction. This means any public-facing Drupal site running an affected version is potentially compromised.
The vulnerability affects Drupal core from 8.9.0 through 10.4.9, 10.5.0 through 10.5.9, 10.6.0 through 10.6.8, 11.0.0 through 11.1.9, 11.2.0 through 11.2.11, and 11.3.0 through 11.3.9. It has been assigned a CVSS score of 6.5 (Medium) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating low attack complexity and no required privileges.
Impact
An attacker exploiting CVE-2026-9082 can read sensitive data from the Drupal database, including user credentials, session tokens, configuration secrets, and content data. Given that the vulnerability is actively exploited in the wild (confirmed by CISA’s Known Exploited Vulnerabilities catalog), delays in patching directly expose your organization to data breaches. The EPSS score is very low (0.0%) for the next 30 days, but active exploitation campaigns are already underway.
Remediation
The Drupal security team has released patched versions for all affected branches. Upgrade immediately to one of the following versions:
- Drupal 10.4.10 or later
- Drupal 10.5.10 or later
- Drupal 10.6.9 or later
- Drupal 11.1.10 or later
- Drupal 11.2.12 or later
- Drupal 11.3.10 or later
If you cannot update immediately, apply any vendor-provided workarounds or disable database query access from untrusted networks as a temporary mitigation. Review your Drupal security advisories at security news for additional guidance.
Security Insight
This incident mirrors the 2022 Drupal SQL injection chain (CVE-2022-25298) that also targeted unauthenticated database access. The repeated exploitation pattern suggests that Drupal’s query preprocessing layer remains a weak point. The active exploitation of a medium-severity SQLi underscores that CVSS score alone is not a reliable triage filter; attackers prioritize operational simplicity over theoretical severity. Organizations running Drupal should treat unauthenticated database read access as a critical finding regardless of the CVSS base score, and implement Web Application Firewall (WAF) rules to block suspicious SQL patterns as a defense-in-depth measure. For updates on related data breaches, see breach reports.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Public PoC References
Unverified third-party code
These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).
Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.
| Repository | Stars |
|---|---|
| 7h30th3r0n3/CVE-2026-9082-Drupal-PoC Drupal Core PostgreSQL SQL Injection PoC - CVE-2026-9082. Ethical PoC for the Drupal vulnerability allowing anonymous SQL injection through the JSON:API module on PostgreSQL-backed sites. | ★ 3 |
| HORKimhab/CVE-2026-9082 CVE-2026-9082 | SA-CORE-2026-004 | ★ 2 |
| 0xBlackash/CVE-2026-9082 CVE-2026-9082 | ★ 1 |
| lysophavin18/cve-2026-9082 cve poc | ★ 0 |
| ywh-jfellus/CVE-2026-9082 PoC for CVE-2026-9082 (Drupal SA-CORE-2026-004) Drupal Core SQLi | ★ 0 |
Showing 5 of 5 known references. Source: nomi-sec/PoC-in-GitHub.
Nuclei Detection Templates
Detection template available — your exposure is being scanned
The templates below are YAML signatures for the Nuclei scanner from ProjectDiscovery. They are not exploit code — they are detection rules that confirm whether a target is vulnerable. The presence of a Nuclei template means every bug bounty hunter, AppSec team, red team, and reconnaissance pipeline on the public internet is actively probing for this CVE.
Assume your exposed instances have already been touched. Patch immediately even if no exploitation is observed yet — fingerprinting precedes exploitation by days at most.
| Template | Source |
|---|---|
CVE-2026-9082.yaml | View YAML |
1 Nuclei template indexed for this CVE. Source: projectdiscovery/nuclei-templates.
Related Advisories
Balbooa Joomla Forms Builder 2.0.6 contains an unauthenticated SQL injection vulnerability in the form submission handler that allows remote attackers to execute arbitrary SQL queries. Attackers can s...
Beauty Parlour Management System v1.1 was discovered to contain a SQL injection vulnerability via the aptnumber parameter in the /appointment-detail.php endpoint. This vulnerability allows attackers t...
XATABoost CMS 1.0.0 contains a union-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id parameter. Attackers ca...
SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via crafted document IDs. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0....