CVE-2026-9082

Updated on 20 May 2026

Severity

6.5 Medium severity

Details

CVSS score
6.5
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Overview

About vulnerability

Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks. This vulnerability can be exploited by anonymous users. This vulnerability only affects sites using PostgreSQL. However, the dependency updates in this release apply to all sites.

Details

Affected product:
drupal/core
Affected packages:
core @ 9.5.11 (+1 more)
Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks. This vulnerability can be exploited by anonymous users. This vulnerability only affects sites using PostgreSQL. However, the dependency updates in this release apply to all sites.

Fixes