Threats / Drupal / CVE-2026-9082
CVE-2026-9082
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-07
Drupal Core vulnerability
Drupal Core contains a SQL injection vulnerability in the database abstraction API that could enable privilege escalation and remote code execution through specially crafted requests.
Verdict
Today item — known-exploited.
SQL injection in Drupal Core's database layer permits attackers to manipulate database queries, potentially escalate privileges and achieve remote code execution. Active exploitation observed in the wild with moderate EPSS score indicates elevated risk despite no CVSS assignment.
01
Is it exploitable?
— the evidence, ranked above the scoreExploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2026-05-22).
Probability (EPSS)
EPSS 0.07937 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Drupal, Core. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-89 SQL Injection — weakness family: Injection.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No threat-actor attribution is established from the public feed for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I craft a malicious request targeting the database abstraction API to inject SQL commands.
Business
Attackers gain unauthorized database access, exposing sensitive user and application data.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I leverage the SQL injection to extract or modify user account records and escalate my privileges to administrator level.
Business
Unauthorized administrative access enables full compromise of the Drupal installation and hosted content.
3
Lateral reach — past segmentation narrative 3
Attacker
I execute arbitrary code on the server through database manipulation or by writing files to the web root.
Business
Complete system compromise allows attackers to deploy malware, steal data, or pivot to internal infrastructure.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05
Coverage & confidence
— what we know, and what we don’tEstablished (cited)
Coverage gaps — stated, not hidden
Disclosure & credit2
Catalogued by drupalCNA
Credited with finding itMichael Maturi (michaelmaturi)finderBjörn Brala (bbrala)remediation developerBenji Fisher (benjifisher)remediation developercatch (catch)remediation developerLee Rowlands (larowlan)remediation developerDave Long (longwave)remediation developerDrew Webber (mcdruid)remediation developerJess (xjm)remediation developerAnna Kalata (akalata)coordinatorBenji Fisher (benjifisher)coordinatorcatch (catch)coordinatorDamien McKenna (damienmckenna)coordinatorNeil Drumm (drumm)coordinatorGreg Knaddison (greggles)coordinatorHeine Deelstra (heine)coordinatorTim Hestenes Lehnen (hestenet)coordinatorDave Long (longwave)coordinatorDrew Webber (mcdruid)coordinatorJuraj Nemec (poker10)coordinatorPierre Rudloff (prudloff)coordinatorJess (xjm)coordinatorCathy Theys (yesct)coordinator