US Public Data LabU.S. public data, made readable
EN
日本語 English
Critical Known exploited (KEV) CVE-2026-9082

SQL injection in Drupal Core (CVE-2026-9082) — risk of privilege escalation and remote code execution

Drupal Core Added to KEV May 22, 2026 Federal remediation due 2026-05-27

Drupal, a widely used open-source CMS, has a SQL injection vulnerability in its core via the database abstraction API; specially crafted requests can lead to privilege escalation and remote code execution (RCE). CISA listed it as known-exploited (KEV) (CVSS 9.8 Critical).

Key facts

  • CVE IDCVE-2026-9082
  • CVSS base score9.8 CRITICAL
  • CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Affected (vendor / product)Drupal Core
  • CWECWE-89
  • ExploitationListed in CISA KEV (exploitation confirmed)
  • Remediation due2026-05-27 (U.S. federal civilian agencies, BOD 22-01)

Key points

  • SQL injection (CWE-89) in Drupal Core via the database abstraction API
  • Can lead to privilege escalation and remote code execution (RCE)
  • A flaw in CMS core functionality = widely deployed, broad blast radius
  • Listed in CISA KEV = exploitation confirmed (CVSS 9.8 Critical)
  • Response: update core per Drupal's instructions. Public websites are high priority

CVE-2026-9082 is a SQL injection vulnerability (CWE-89) in Drupal Core (the heart of the open-source CMS Drupal, used by many public-sector and enterprise sites). It was added to CISA's KEV catalog on May 22, 2026.

Per NVD, sending specially crafted requests through Drupal's database abstraction API (the layer that standardizes database access) achieves SQL injection that can lead to privilege escalation and remote code execution (RCE). Because it is a flaw in core functionality (the foundation shared by many sites), the blast radius is broad.

Drupal is widely adopted by government agencies, universities, and enterprises. If this is exploited on an internet-facing site, it can lead to site defacement or takeover and code execution on the server. A CMS is an easily reachable "internet-exposed asset" for attackers, so the KEV listing pushes for prompt updates.

Key response: update the core to a fixed version per Drupal's official instructions. For cloud use, follow BOD 22-01, and discontinue use if mitigations are unavailable. Public websites are high priority. The federal civilian remediation deadline was May 27, 2026.

Why it matters

A core SQLi/RCE in a widely used CMS, directly tied to defacement/takeover risk for public websites. Organizations running Drupal should update core immediately, inventory exposed assets, and review web-server logs.

FAQ

What is Drupal?
A widely used open-source content management system (CMS) for government, university, and enterprise websites.
How dangerous is it?
CVSS 9.8 (Critical); it can lead to privilege escalation and remote code execution. CISA lists it as known-exploited, making it high priority for public sites.
What should I do?
Update the core to a fixed version per Drupal's official instructions. Prioritize internet-facing sites in particular.

Sources (primary)

This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.

#Drupal#CMS#SQL injection#RCE#Web

← Back to vulnerability alerts

Disclaimer: This site independently summarizes and classifies information based on official data sources. Always verify the latest and accurate information with the official sources. Content on finance, health, legal, and security is information, not advice. This site is not an official website of the U.S. government.