—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

SQL Injection Vulnerability in Drupal

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Drupal core versions from 8.9.0 before 10.4.10

Drupal core versions from 10.5.0 before 10.5.10

Drupal core versions from 10.6.0 before 10.6.9

Drupal core versions from 11.0.0 before 11.1.10

Drupal core versions from 11.2.0 before 11.2.12

Drupal core versions from 11.3.0 before 11.3.10

Overview

A vulnerability has been reported in Drupal which could allow an attacker to obtain sensitive information, execute arbitrary SQL queries, escalate privileges, or potentially compromise the affected system.

Target Audience:

Individuals and end-user organizations using Drupal.

Risk Assessment:

High risk of unauthorized access to sensitive data, security bypass, and service unavailability.

Impact Assessment:

Potential for data theft, system crash and system compromise.

Description

Drupal is an open-source, content management system (CMS) which allows individuals and organizations to create, manage and maintain websites and web applications.

This vulnerability exists in Drupal Core due to improper handling of database queries in the database abstraction API. An attacker could this vulnerability by sending specially crafted requests to conduct SQL injection attacks for sites using PostgreSQL databases. (This vulnerability only affects sites using PostgreSQL)

Successful exploitation of this vulnerability to access sensitive information, escalate privileges, modify database contents, or potentially compromise the affected system.

Please note that Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x and all prior releases have reached end-of-life and no longer receive security support. Drupal 8 and Drupal 9 have also reached end-of-life.

Solution

Upgrade to the latest versions as mentioned in the security advisories:

https://www.drupal.org/sa-core-2026-004

Vendor Information

Drupal

https://www.drupal.org/

References

 

https://www.drupal.org/sa-core-2026-004

CVE Name

CVE-2026-9082

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoPIPMACgkQ3jCgcSdc

ys/+XA/7B/bRG7WyJu6QcvIckz5ua/NRC2E8V46e3MSob52MOnCroJMbh+E23ElV

5Xkk+9bEykVblG6Qkllv5EZAHfL6hrElM7A2DqcCT1+CrZiXJoLthklQqh8tLOz9

kmg6kU34V5sXHqxZIW1zSWhgAZhPFK+OVXr64/nLquPWtXd6+H+hSyKUdIPmPgyU

EFwIQMWTKVM1sEgaTR0saTC+6kZt11D5qAHlV5kiBY9il24mZDwYe0lr0kNwwGbW

tRdIJSHlkEmr4JrtsbrL5oIHWPLI4DD0axf7X2GzRKPq7GhQJVc3nVSfC8EuZUH1

ZJKstyvjoQkDX7PH+XQEw2PwppOkwn+dsALL4XzGpYG4JGghvqRyb/gZghGM5zoJ

5mFOl6IrAqAzZdeliI+oYGG7r0bTN2txX9UjcrJoVSp0aCB7O68IUpwUBLi88C+7

GT3jrMveuL2nxs62FVN2T2sQDDv7RvlYEiiMzdNQAF3774BOwgGN/jme/hBgyLdT

vJxmRg+3beQv9TUVRLiyN+EmNqB1MXZROfYdJmmhpO4i5T+qL9ViQqoUg9yn/m40

TAKPNk5FWX0egUz/Jvv9eppycu9RpyZ1+RprDJ7dNQDfbiasi7auv9Vf7bA1t/OK

YqoQH7ptaAxvmxR5ovDUTXnCFFRXiW6+qdgbeAaqz278++8GnXY=

=tM7/

—–END PGP SIGNATURE—–