Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Drupal Core database abstraction API SQL injection SQL injection flaw (CVE-2026-9082)

Vulnerability
First reported
Last updated
Happening score
H score 30
2 unique sources, 3 articles

Summary

Hide ▲

CVE-2026-9082 in Drupal Core is a SQL injection flaw in the database abstraction API that affects PostgreSQL-backed sites and can lead to information disclosure, privilege escalation, or remote code execution. The issue can be triggered with specially crafted requests and is serious enough that Drupal released fixed builds for supported branches. Administrators running impacted deployments should move to the patched release for their branch.

Related Happenings

CISA orders FCEB patching for CVE-2026-9082

Public Sector Action
First: 26.05.2026 11:46 Last: 26.05.2026 11:46 Sources 1

How related: On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their systems by midnight on Wednesday, May 27, as mandated by Binding Operational Directive (BOD) 22-01.

About this happening: **CISA** added **CVE-2026-9082** to the **KEV Catalog** and ordered **FCEB agencies** to patch **Drupal** by **May 27**, turning an actively exploited flaw into a mandatory federa...

Open Happening

Quiz and Survey Master SQL injection mitigation (CVE-2025-67987)

Advisory/Mitigation
First: 03.02.2026 18:15 Last: 03.02.2026 18:15 Sources 1

About this happening: **Patchstack** published mitigation guidance for **CVE-2025-67987**, directing administrators to update **Quiz and Survey Master** to **version 10.3.2** to close a **SQL injection...

Open Happening

MongoDB Server CVE-2025-14847 mitigation advisory

Advisory/Mitigation
First: 24.12.2025 16:18 Last: 24.12.2025 16:18 Sources 1

About this happening: MongoDB issued an **immediate mitigation advisory** for **CVE-2025-14847**, warning that **MongoDB Server** deployments face a **high-severity memory-read flaw** that **unauthenti...

Open Happening

Timeline

  1. 21.05.2026 06:44 3 articles · 6d ago

    Drupal ships patched releases for CVE-2026-9082

    Mitigation Patch Update

    Drupal released security updates for CVE-2026-9082 in Drupal Core, a highly critical database abstraction API flaw that affects sites using PostgreSQL. The vulnerability can let anonymous users send specially crafted requests that trigger arbitrary SQL injection, which may lead to information disclosure, privilege escalation, or remote code execution. Fixed releases were issued for Drupal 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10, and manual patches were provided for end-of-life Drupal 8 and Drupal 9; Drupal 7 is not affected. Supported branches also include upstream security updates for Symfony and Twig.

    Show sources
    Open in new tab