Drupal Remote Code Execution Vulnerability
RISK: Extremely High Risk
TYPE: Servers - Other Servers
A vulnerability was identified in Drupal. A remote attacker could exploit this vulnerability to trigger remote code execution, elevation of privilege and sensitive information disclosure on the targeted system.
Note:
CVE-2026-9082 is being exploited in the wild. Drupal Core contains a SQL injection vulnerability. A remote attacker could exploit this vulnerability by sending specially crafted requests with the database abstraction API. Hence, the risk level is rated as Extremely High Risk.
[Updated on 2026-05-26]
Updated Risk Level, Description and Related Links.
Impact
- Remote Code Execution
- Information Disclosure
- Elevation of Privilege
System / Technologies affected
- Drupal version 8.9.0 and later, prior to 10.4.10
- Drupal version 10.5.0 and later, prior to 10.5.10
- Drupal version 10.6.0 and later, prior to 10.6.9
- Drupal version 11.0.0 and later, prior to 11.1.10
- Drupal version 11.2.0 and later, prior to 11.2.12
- Drupal version 11.3.0 and later, prior to 11.3.10
Solutions
Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
- For Drupal 8.9, manually applying the Drupal 8.9 patch
- For any version of Drupal 9, manually applying the Drupal 9.5 patch
- For Drupal 10.4.x or earlier, update to Drupal 10.4.10
- For Drupal 10.5.x, update to Drupal 10.5.10
- For Drupal 10.6.x, update to Drupal 10.6.9
- For Drupal 11.1.x or 11.0.x, update to Drupal 11.1.10
- For Drupal 11.2.x, update to Drupal 11.2.12
- For Drupal 11.3.x, update to Drupal 11.3.10
Note:
- Drupal 8 and Drupal 9 have both reached end-of-life. Those unsupported versions will still have other, previously disclosed security vulnerabilities.
- Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage.
Vulnerability Identifier
Source
Related Link
Related Tags
Share with