The security flaw can be exploited without authentication, allowing attackers to trigger arbitrary SQL injection on PostgreSQL-powered sites via specially crafted requests. Successful exploitation can potentially lead to information disclosure, privilege escalation, and even remote code execution.
| Vendor | Product | Versions |
|---|---|---|
| drupal | drupal | 8.9.0, 10.5.0, 10.6.0, 11.0.0, 11.2.0, 11.3.0, multiple versions, 9.5 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| open source | drupal | cert_advisory | 90% |
Updated CVSS score from 6.5 to 9.8 and noted that no new patch version is available.
Added affected version 9.5 and noted that the patch is available but not specified in the article.
Updated description with details on exploitation methods and added new IoC and tag related to CISA KEV.
Updated CVSS score to 6.5, added CISA KEV tag, and included new CWE ID CVE-2026-9082.
Updated description with technical details about PostgreSQL impact, changed CVSS score to 23, and added new tags related to gaming and financial services.
Updated description with new technical details and added CVE-2026-9082.
Updated severity to HIGH, added CVSS estimate of 8.0, and included new affected version 10.5.x along with a more detailed description of the vulnerability.
Updated description to include potential for remote code execution and confirmed CVSS score of 6.5.
Updated description with more technical details about the vulnerability's impact and exploitability, added affected versions 11.3, 11.2, 10.6, 10.5, 8.9, 9.5, corrected CVSS estimate to 9.8, added MITRE ATT&CK technique T1190, and added tags for remote code execution, information disclosure, and privilege escalation.
Updated affected versions to include 11.3.9, changed severity to CRITICAL, noted no exploit available, and added new tag 'sql injection'.
Initial creation
