CVE-2026-9082

CRITICAL KEV NUCLEI LAB

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-9082 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 22, 2026. EIP tracks 16 public exploits from researchers including cardosource, ambionics, sourcecode347. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC demonstrates an error-based SQL injection in Drupal Core 10.5.5 via JSON:API filter parameters, exploiting PostgreSQL error messages to disclose database information. The exploit crafts a malicious filter condition to trigger SQL errors containing sensitive data.

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

Exploits (16)

exploitdb WORKING POC
by cardosource · pythonwebappsphp
https://www.exploit-db.com/exploits/52608

This PoC demonstrates an error-based SQL injection in Drupal Core 10.5.5 via JSON:API filter parameters, exploiting PostgreSQL error messages to disclose database information. The exploit crafts a malicious filter condition to trigger SQL errors containing sensitive data.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Drupal Core 10.5.5
No auth needed
Prerequisites: PostgreSQL backend · JSON:API enabled · access to JSON:API endpoint
mistral-large-3 · analyzed Jun 02, 2026 Full analysis →
github WORKING POC 7 stars
by ambionics · pythonremote
https://github.com/ambionics/cve-2026-9082-drupal-postgresql-rce

This repository contains a functional exploit for CVE-2026-9082, demonstrating a Drupal JSON:API PostgreSQL SQL injection that escalates to remote code execution (RCE). The exploit leverages PostgreSQL superuser privileges to write a preload library, reload configuration, and execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Drupal 10.4.9 with PostgreSQL
No auth needed
Prerequisites: Drupal JSON:API enabled · PostgreSQL superuser privileges · PostgreSQL version 12.20 through 18.4
mistral-large-3 · analyzed May 28, 2026 Full analysis →
github SCANNER 1 stars
by sourcecode347 · pythoninfoleak
https://github.com/sourcecode347/CVE-2026-9082-Mass_Scanner

This repository contains a mass scanner for detecting CVE-2026-9082, an error-based SQL injection vulnerability in Drupal Core 10.5.5 (PostgreSQL). The script checks for the vulnerability by sending crafted requests to multiple targets and analyzing error responses.

Classification
Scanner 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Drupal Core 10.5.5
No auth needed
Prerequisites: List of target domains in a text file
mistral-large-3 · analyzed Jun 17, 2026 Full analysis →
github WORKING POC
by SecureWithUmer · c++poc
https://github.com/SecureWithUmer/CVE-2026-PoCs/tree/main/2026/CVE-2026-9082

This PoC exploits a SQL injection vulnerability in Drupal Core's PostgreSQL Entity Query Condition handler (CVE-2026-9082), where user-controlled array keys from JSON:API filter values are used to construct SQL placeholder names without sanitization. The exploit demonstrates both boolean-based and time-based SQL injection techniques to extract data or execute arbitrary SQL queries.

Classification
Working Poc 98%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Drupal Core 8.0 - 11.3.9 with PostgreSQL backend
No auth needed
Prerequisites: Drupal installation with PostgreSQL backend · JSON:API module enabled (default in Drupal 9+) · Target version between 8.0.0 and 11.3.9
mistral-large-3 · analyzed Jul 08, 2026 Full analysis →
github WORKING POC
by evidencebasedvulnerability · pythonremote
https://github.com/evidencebasedvulnerability/cve-2026-9082-drupal

This repository contains a functional exploit for CVE-2026-9082, demonstrating a Drupal JSON:API PostgreSQL SQL injection that escalates to remote code execution (RCE). The exploit leverages PostgreSQL superuser privileges to write a preload library, reload configuration, and execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Drupal 10.4.9 with PostgreSQL
No auth needed
Prerequisites: Drupal 10.4.9 with JSON:API enabled · PostgreSQL superuser privileges
mistral-large-3 · analyzed Jun 29, 2026 Full analysis →
github WRITEUP
by eliHiHo · poc
https://github.com/eliHiHo/portfolio-drupal-cve-2026-9082

This repository contains evidence files demonstrating API checks and CVE verification for Drupal 10, specifically targeting CVE-2026-9082. The files include HTTP responses from API endpoints, login attempts, and baseline checks, suggesting a detailed analysis of the vulnerability's behavior.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Drupal 10
No auth needed
Prerequisites: Access to Drupal API endpoints
mistral-large-3 · analyzed Jun 23, 2026 Full analysis →
nomisec WORKING POC
by 11romain · remote
https://github.com/11romain/CVE-2026-9082

This repository contains functional exploit code for CVE-2026-9082, a PostgreSQL SQL injection vulnerability in Drupal Core. The exploit demonstrates both detection (scanner) and remote code execution (RCE) via SQL injection, leveraging PostgreSQL large objects and session_preload_libraries manipulation.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Complex
Reliability
Reliable
Target: Drupal Core with PostgreSQL backend
No auth needed
Prerequisites: PostgreSQL backend · superuser privileges for RCE
mistral-large-3 · analyzed Jun 07, 2026 Full analysis →
github WORKING POC
by thinhap · pythoninfoleak
https://github.com/thinhap/CVE-2026-9082-PoC

This repository contains a functional Python-based PoC for CVE-2026-9082, demonstrating unauthenticated SQL injection in Drupal Core's PostgreSQL backend via two exploit paths: the login endpoint and JSON:API filter parameter injection.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Drupal Core (8.9.0-10.4.9, 10.5.0-10.5.9, 10.6.0-10.6.8, 11.0.0-11.1.9, 11.2.0-11.2.11, 11.3.0-11.3.9)
No auth needed
Prerequisites: PostgreSQL backend · Drupal instance with vulnerable version
mistral-large-3 · analyzed May 27, 2026 Full analysis →
github SCANNER
by strobelpierre · shellpoc
https://github.com/strobelpierre/CVE-2026-9082

This repository contains a semi-passive scanner for detecting Drupal installations potentially vulnerable to CVE-2026-9082, a PostgreSQL SQL injection vulnerability. The scanner performs version fingerprinting, PostgreSQL detection, and endpoint probing without sending any exploit payloads.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Drupal (versions 8.9.0-10.4.9, 10.5.0-10.5.9, 10.6.0-10.6.8, 11.0.0-11.1.9, 11.2.0-11.2.11, 11.3.0-11.3.9)
No auth needed
Prerequisites: network access to target Drupal instance
mistral-large-3 · analyzed May 27, 2026 Full analysis →
github SUSPICIOUS
by N45HT · poc
https://github.com/N45HT/drupal-cve-2026-9082-checker

The repository claims to be a checker for a Drupal Blind SQL Injection vulnerability but contains no actual code or technical details. It appears to be a placeholder or lure.

Classification
Suspicious 90%
Attack Type
Sqli
Complexity
Theoretical
Reliability
Theoretical
Target: Drupal (version unspecified)
No auth needed
Prerequisites: none specified
mistral-large-3 · analyzed May 24, 2026 Full analysis →
github WORKING POC
by ridhinva · pythonremote
https://github.com/ridhinva/CVE-2026-9082

This repository contains a functional exploit for CVE-2026-9082, a critical SQL injection vulnerability in Drupal Core (8.0-11.3.9) with PostgreSQL backend. The exploit leverages JSON:API filter array key injection via PDO placeholder name abuse to achieve unauthenticated SQLi, enabling data exfiltration, privilege escalation, and potential RCE.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Drupal Core 8.0-11.3.9 with PostgreSQL backend
No auth needed
Prerequisites: Drupal site with JSON:API enabled · PostgreSQL backend
mistral-large-3 · analyzed May 23, 2026 Full analysis →
github WORKING POC
by ywh-jfellus · pythonpoc
https://github.com/ywh-jfellus/CVE-2026-9082

This repository contains a functional Python-based PoC for CVE-2026-9082, a SQL injection vulnerability in Drupal core's PostgreSQL entity-query condition translator. The exploit leverages the JSON:API layer to inject malformed SQL conditions, causing a 500 error if the target is vulnerable.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Drupal core (10.4.9 and earlier, patched in 11.2.12)
No auth needed
Prerequisites: Drupal with PostgreSQL backend · JSON:API enabled
mistral-large-3 · analyzed May 22, 2026 Full analysis →
github WORKING POC
by 7h30th3r0n3 · pythonremote
https://github.com/7h30th3r0n3/CVE-2026-9082-Drupal-PoC

This repository contains a functional Python-based exploit for CVE-2026-9082, a PostgreSQL SQL injection vulnerability in Drupal Core. The exploit leverages unsanitized array keys in JSON:API filter parameters to inject arbitrary SQL, with support for time-based and boolean-based detection, as well as data extraction.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Drupal Core 8.0 - 11.3.9 (PostgreSQL backend)
No auth needed
Prerequisites: Drupal with PostgreSQL backend · JSON:API module enabled
mistral-large-3 · analyzed May 21, 2026 Full analysis →
github SCANNER
by 0xBlackash · pythonpoc
https://github.com/0xBlackash/CVE-2026-9082

The repository contains a Python script that checks for the presence of Drupal and tests for potential vulnerability to CVE-2026-9082 by probing specific endpoints. It does not include exploit code but provides a detection mechanism.

Classification
Scanner 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: Drupal Core (PostgreSQL backend)
No auth needed
Prerequisites: Drupal installation with PostgreSQL backend · Accessible autocomplete endpoints
mistral-large-3 · analyzed May 21, 2026 Full analysis →
github WRITEUP
by lysophavin18 · poc
https://github.com/lysophavin18/cve-2026-9082

This repository provides a detailed technical analysis of CVE-2026-9082, a SQL injection vulnerability in Drupal Core's database abstraction API affecting PostgreSQL backends. It includes root cause analysis, exploitation techniques, mitigation steps, and detection signals.

Classification
Writeup 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Drupal Core (8.9.x-11.3.x) with PostgreSQL backend
No auth needed
Prerequisites: PostgreSQL backend · Exposed Drupal endpoints passing user input to DB queries
mistral-large-3 · analyzed May 21, 2026 Full analysis →
github WORKING POC
by HORKimhab · pythonremote
https://github.com/HORKimhab/CVE-2026-9082

This repository contains a functional exploit PoC for CVE-2026-9082, a SQL injection vulnerability in Drupal 8.0-11.3.9 via attacker-controlled array keys in JSON:API filter values. The PoC includes a Python script to detect and validate the vulnerability, along with detailed analysis and a lab setup for testing.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Drupal 8.0-11.3.9
No auth needed
Prerequisites: Drupal with JSON:API enabled · PostgreSQL backend · case-insensitive field in EntityQuery
mistral-large-3 · analyzed May 21, 2026 Full analysis →

Nuclei Templates (1)

Drupal Core - Anonymous SQL Injection via PostgreSQL Entity Query
CRITICALVERIFIEDby slcyber,DhiyaneshDk
Shodan: http.component:"Drupal"
FOFA: app="drupal"

Scores

CVSS v3 9.8
EPSS 0.8463
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull drupal:11.3.9-php8.4-apache
docker pull drupal:11.3.9
docker pull drupal:10.4.9-php8.3-apache
docker pull drupal:10.5.9
docker pull drupal:10.5.10
+12 more repos

Details

CISA KEV 2026-05-22
VulnCheck KEV 2026-05-22
ENISA EUVD EUVD-2026-31153
CWE
CWE-89
Status published
Products (13)
drupal/core 10.5.0 - 10.5.10Packagist
drupal/core 10.6.0 - 10.6.9Packagist
drupal/core 11.0.0 - 11.1.10Packagist
drupal/core 11.2.0 - 11.2.12Packagist
drupal/core 11.3.0 - 11.3.10Packagist
drupal/core 8.9.0 - 10.4.10Packagist
drupal/drupal 8.9.0 - 10.4.10
Drupal/Drupal core 10.5.0 - 10.5.10
Drupal/Drupal core 10.6.0 - 10.6.9
Drupal/Drupal core 11.0.0 - 11.1.10
... and 3 more
Published May 20, 2026
KEV Added May 22, 2026
Tracked Since May 21, 2026