FixVibe
Covered by FixVibehigh

SQL Injection in Drupal Core (CVE-2026-9082)

Drupal Core CVE-2026-9082 affects several release lines, with vendor guidance tying the SQL-injection condition to PostgreSQL-backed sites. FixVibe now flags affected drupal/core or drupal/core-recommended Composer evidence in GitHub repo scans without running Drupal, verifying PostgreSQL, sending SQL payloads, or claiming live exploit confirmation.

CVE-2026-9082GHSA-ghwc-95x2-682jCWE-89

Impact

Drupal.org lists CVE-2026-9082 as a highly critical SQL injection affecting multiple Drupal Core release lines [S1]. The vendor advisory says the SQL-injection condition applies to sites using PostgreSQL and notes exploit attempts in the wild [S1]. NVD records the CVE with Drupal's critical CVSS score and CISA Known Exploited Vulnerabilities context [S2][S4]. A repository dependency match should drive urgent patch triage, but it does not prove the scanned deployment runs that Composer version, uses PostgreSQL, exposes affected Drupal functionality, or has been exploited.

Root Cause

Drupal's database abstraction layer normally keeps application input from changing SQL syntax before queries reach the database. The advisory describes a PostgreSQL-specific failure in that boundary for affected Drupal Core releases [S1][S2]. GitHub tracks the same CVE/GHSA, but the advisory record is unreviewed and does not provide package metadata, so FixVibe relies on the Drupal vendor advisory, NVD/CISA data, and target-specific Composer evidence [S1][S2][S3].

Covered by FixVibe

FixVibe GitHub repo scans now flag Composer evidence for drupal/core and drupal/core-recommended when the declared or resolved version is in the affected ranges. The report includes the package, file path, observed version or constraint, advisory IDs, confidence, fixed branch guidance, and what was not verified. This is static repository evidence: FixVibe does not run Drupal, inspect the deployed database backend, verify PostgreSQL use, send SQL payloads, extract data, authenticate, inspect live route exposure, or claim runtime exploit confirmation.

Remediation

Upgrade Drupal Core to the fixed release for the active branch [S1]. For supported branches, use 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, or 11.3.10 as applicable; for Drupal 8.9 or 9, follow Drupal's best-effort patch guidance and plan migration to a supported branch [S1]. Regenerate composer.lock, rebuild and deploy the PHP/Drupal runtime or container, verify with composer show drupal/core drupal/core-recommended, confirm whether PostgreSQL-backed sites were exposed, and review logs, backups, and credentials according to incident-response policy.

SQL Injection in Drupal Core (CVE-2026-9082) β€” FixVibe research Β· FixVibe