CVE-2026-9082: Drupal Core has a SQL Injection issue

May 20, 2026 (updated June 18, 2026)

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Drupal Drupal core allows SQL Injection.

This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

References

github.com/advisories/GHSA-ghwc-95x2-682j
nvd.nist.gov/vuln/detail/CVE-2026-9082
www.drupal.org/sa-core-2026-004

Code Behaviors & Features

Detect and mitigate CVE-2026-9082 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →