Drupal SQL Injection Vulnerability - 20260525001¶
Overview¶
Drupal has released a critical security advisory containing a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API.
What is vulnerable?¶
| Product(s) Affected | Version(s) | CVE | CVSS | Severity |
|---|---|---|---|---|
| Drupal core | All versions prior to 10.4.10 10.5.x prior to 10.5.10 10.6.x prior to 10.6.9 11.0.x prior to 11.1.10 11.2.x prior to 11.2.12 11.3.x prior to 11.3.10 |
CVE-2026-9082 | 9.8 | Critical |
What has been observed?¶
CISA has added one or more of the mentioned items to their Known Exploited Vulnerabilities catalog. The WA SOC has not received any reports of exploitation of this vulnerability on Western Australian Government networks at the time of writing.
Recommendation¶
The WASOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframes (refer Patch Management):
- Drupal Advisory: https://www.drupal.org/sa-core-2026-004
Additional Resources¶
- Drupal version history: https://www.drupal.org/about/core/policies/core-release-cycles/schedule