Vulnerability-Lookup

WID-SEC-W-2026-1620

Vulnerability from csaf_certbund - Published: 2026-05-20 22:00 - Updated: 2026-05-25 22:00

Summary

Drupal Core (PostgreSQL): Schwachstelle ermöglicht Manipulation von Dateien

Severity

Kritisch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Drupal ist ein freies Content-Management-System, basierend auf der Scriptsprache PHP und einer SQL-Datenbank. Über zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.

Angriff: Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Drupal Core ausnutzen, um eine SQL-Injection durchzuführen, die je nach Datenbankkonfiguration zur Offenlegung von Informationen, zur Erweiterung von Privilegien oder zur potenziellen Ausführung von Remote-Code führen kann.

Betroffene Betriebssysteme: - Sonstiges - UNIX - Windows

CVE-2026-9082

Affected products

Known affected 8 products

Product	Identifier	Version	Remediation
Open Source Drupal Core <9.5 Open Source / Drupal		Core <9.5
Open Source Drupal Core <10.4.10 Open Source / Drupal		Core <10.4.10
Open Source Drupal Core <10.5.10 Open Source / Drupal		Core <10.5.10
Open Source Drupal Core <10.6.9 Open Source / Drupal		Core <10.6.9
Open Source Drupal Core <11.1.10 Open Source / Drupal		Core <11.1.10
Open Source Drupal Core <11.2.12 Open Source / Drupal		Core <11.2.12
Open Source Drupal Core <11.3.10 Open Source / Drupal		Core <11.3.10
Open Source Drupal Core <8.9 Open Source / Drupal		Core <8.9

References

5 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.drupal.org/sa-core-2026-004	external
https://github.com/advisories/GHSA-ghwc-95x2-682j	external
https://github.com/7h30th3r0n3/CVE-2026-9082-Drupal-PoC	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "kritisch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Drupal ist ein freies Content-Management-System, basierend auf der Scriptsprache PHP und einer SQL-Datenbank. \u00dcber zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Drupal Core ausnutzen, um eine SQL-Injection durchzuf\u00fchren, die je nach Datenbankkonfiguration zur Offenlegung von Informationen, zur Erweiterung von Privilegien oder zur potenziellen Ausf\u00fchrung von Remote-Code f\u00fchren kann.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1620 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1620.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1620 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1620"
      },
      {
        "category": "external",
        "summary": "Drupal Security Advisory sa-core-2026-004 vom 2026-05-20",
        "url": "https://www.drupal.org/sa-core-2026-004"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-ghwc-95x2-682j vom 2026-05-20",
        "url": "https://github.com/advisories/GHSA-ghwc-95x2-682j"
      },
      {
        "category": "external",
        "summary": "CVE-2026-9082 \u2014 Drupal Core PostgreSQL SQL Injection PoC",
        "url": "https://github.com/7h30th3r0n3/CVE-2026-9082-Drupal-PoC"
      }
    ],
    "source_lang": "en-US",
    "title": "Drupal Core (PostgreSQL): Schwachstelle erm\u00f6glicht Manipulation von Dateien",
    "tracking": {
      "current_release_date": "2026-05-25T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-25T19:35:33.071+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1620",
      "initial_release_date": "2026-05-20T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-20T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-25T22:00:00.000+00:00",
          "number": "2",
          "summary": "Exploit aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Core \u003c11.3.10",
                "product": {
                  "name": "Open Source Drupal Core \u003c11.3.10",
                  "product_id": "T054432"
                }
              },
              {
                "category": "product_version",
                "name": "Core 11.3.10",
                "product": {
                  "name": "Open Source Drupal Core 11.3.10",
                  "product_id": "T054432-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:core__11.3.10."
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Core \u003c11.2.12",
                "product": {
                  "name": "Open Source Drupal Core \u003c11.2.12",
                  "product_id": "T054434"
                }
              },
              {
                "category": "product_version",
                "name": "Core 11.2.12",
                "product": {
                  "name": "Open Source Drupal Core 11.2.12",
                  "product_id": "T054434-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:core__11.2.12"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Core \u003c11.1.10",
                "product": {
                  "name": "Open Source Drupal Core \u003c11.1.10",
                  "product_id": "T054436"
                }
              },
              {
                "category": "product_version",
                "name": "Core 11.1.10",
                "product": {
                  "name": "Open Source Drupal Core 11.1.10",
                  "product_id": "T054436-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:core__11.1.10"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Core \u003c10.6.9",
                "product": {
                  "name": "Open Source Drupal Core \u003c10.6.9",
                  "product_id": "T054438"
                }
              },
              {
                "category": "product_version",
                "name": "Core 10.6.9",
                "product": {
                  "name": "Open Source Drupal Core 10.6.9",
                  "product_id": "T054438-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:core__10.6.9"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Core \u003c10.5.10",
                "product": {
                  "name": "Open Source Drupal Core \u003c10.5.10",
                  "product_id": "T054440"
                }
              },
              {
                "category": "product_version",
                "name": "Core 10.5.10",
                "product": {
                  "name": "Open Source Drupal Core 10.5.10",
                  "product_id": "T054440-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:core__10.5.10"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Core \u003c10.4.10",
                "product": {
                  "name": "Open Source Drupal Core \u003c10.4.10",
                  "product_id": "T054441"
                }
              },
              {
                "category": "product_version",
                "name": "Core 10.4.10",
                "product": {
                  "name": "Open Source Drupal Core 10.4.10",
                  "product_id": "T054441-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:core__10.4.10"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Core \u003c9.5",
                "product": {
                  "name": "Open Source Drupal Core \u003c9.5",
                  "product_id": "T054442"
                }
              },
              {
                "category": "product_version",
                "name": "Core 9.5",
                "product": {
                  "name": "Open Source Drupal Core 9.5",
                  "product_id": "T054442-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:core__9.5"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Core \u003c8.9",
                "product": {
                  "name": "Open Source Drupal Core \u003c8.9",
                  "product_id": "T054443"
                }
              },
              {
                "category": "product_version",
                "name": "Core 8.9",
                "product": {
                  "name": "Open Source Drupal Core 8.9",
                  "product_id": "T054443-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:core__8.9"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Drupal"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-9082",
      "product_status": {
        "known_affected": [
          "T054442",
          "T054441",
          "T054440",
          "T054438",
          "T054436",
          "T054434",
          "T054432",
          "T054443"
        ]
      },
      "release_date": "2026-05-20T22:00:00.000+00:00",
      "title": "CVE-2026-9082"
    }
  ]
}

CVE-2026-9082 (GCVE-0-2026-9082)

Vulnerability from cvelistv5 – Published: 2026-05-20 18:20 – Updated: 2026-05-23 03:55

Title

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Summary

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

drupal

References

1 reference

URL	Tags
https://www.drupal.org/sa-core-2026-004

Impacted products

1 product

Vendor	Product	Version
Drupal	Drupal core	Affected: 8.9.0 , < 10.4.10 (semver) Affected: 10.5.0 , < 10.5.10 (semver) Affected: 10.6.0 , < 10.6.9 (semver) Affected: 11.0.0 , < 11.1.10 (semver) Affected: 11.2.0 , < 11.2.12 (semver) Affected: 11.3.0 , < 11.3.10 (semver)

Date Public

2026-05-20 18:08

Credits

Michael Maturi (michaelmaturi) Björn Brala (bbrala) Benji Fisher (benjifisher) catch (catch) Lee Rowlands (larowlan) Dave Long (longwave) Drew Webber (mcdruid) Jess (xjm) Anna Kalata (akalata) Benji Fisher (benjifisher) catch (catch) Damien McKenna (damienmckenna) Neil Drumm (drumm) Greg Knaddison (greggles) Heine Deelstra (heine) Tim Hestenes Lehnen (hestenet) Dave Long (longwave) Drew Webber (mcdruid) Juraj Nemec (poker10) Pierre Rudloff (prudloff) Jess (xjm) Cathy Theys (yesct)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-9082",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-20T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2026-05-22",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-9082"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-23T03:55:38.207Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-9082"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-05-22T00:00:00.000Z",
            "value": "CVE-2026-9082 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/drupal",
          "defaultStatus": "unaffected",
          "product": "Drupal core",
          "repo": "https://git.drupalcode.org/project/drupal",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "10.4.10",
              "status": "affected",
              "version": "8.9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.5.10",
              "status": "affected",
              "version": "10.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.6.9",
              "status": "affected",
              "version": "10.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.1.10",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.2.12",
              "status": "affected",
              "version": "11.2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.3.10",
              "status": "affected",
              "version": "11.3.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Michael Maturi (michaelmaturi)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Bj\u00f6rn Brala (bbrala)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Benji Fisher (benjifisher)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "catch (catch)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Lee Rowlands (larowlan)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Dave Long (longwave)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Drew Webber (mcdruid)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jess  (xjm)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Anna Kalata (akalata)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Benji Fisher (benjifisher)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "catch (catch)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Damien McKenna (damienmckenna)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Neil Drumm (drumm)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison (greggles)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Heine Deelstra (heine)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Tim Hestenes Lehnen (hestenet)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Dave Long (longwave)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Drew Webber (mcdruid)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Juraj Nemec (poker10)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Pierre Rudloff (prudloff)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jess  (xjm)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Cathy Theys (yesct)"
        }
      ],
      "datePublic": "2026-05-20T18:08:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Drupal Drupal core allows SQL Injection.\u003cp\u003eThis issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Drupal Drupal core allows SQL Injection.\n\nThis issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-66",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-66 SQL Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T17:43:22.299Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-core-2026-004"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Drupal core - Highly critical - SQL injection - SA-CORE-2026-004",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2026-9082",
    "datePublished": "2026-05-20T18:20:52.863Z",
    "dateReserved": "2026-05-20T13:35:13.119Z",
    "dateUpdated": "2026-05-23T03:55:38.207Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1620

CVE-2026-9082 (GCVE-0-2026-9082)

Tags

Sightings

Nomenclature