How to find Drupal core instances on your network

Matthew Kienow

Updated May 22, 2026, 6:40pm EDT

Latest Drupal core vulnerability: CVE-2026-9082 #

Drupal disclosed that certain versions of Drupal core are affected by a SQL injection vulnerability in the database abstraction API due to the improper neutralization of special elements. This flaw allows a remote, unauthenticated attacker to send specially crafted requests that result in arbitrary SQL execution on sites configured to use a PostgreSQL database. Successful exploitation allows an attacker to achieve information disclosure and, in select cases, privilege escalation, remote code execution (RCE), or other attacks. This vulnerability has been designated CVE-2026-9082 and has been rated critical with a CVSS score of 9.8.

There is evidence that this vulnerability is being actively exploited in the wild.

The following versions are affected:

Drupal: Versions 8.9.0 to before 10.4.10
Drupal: Versions 10.5.0 to before 10.5.10
Drupal: Versions 10.6.0 to before 10.6.9
Drupal: Versions 11.0.0 to before 11.1.10
Drupal: Versions 11.2.0 to before 11.2.12
Drupal: Versions 11.3.0 to before 11.3.10

Note: this vulnerability only affects sites configured to use a PostgreSQL database.

What is Drupal core? #

Drupal core is the blank-slate version of the PHP-based content management system (CMS) and web application framework that includes only the essential tools needed to build, log into, and run a basic website.

What is the impact? #

Successful exploitation of this vulnerability could result in information disclosure, privilege escalation, remote code execution (RCE), or other arbitrary attacks.

Are updates or workarounds available? #

Users are encouraged upgrade affected systems to the following versions immediately:

Drupal 8.9: Manually apply the patch SA-CORE-2026-004-8.9.patch.
Drupal 9.x: Manually apply the Drupal 9.5 patch SA-CORE-2026-004-9.5.patch.
Drupal 10.4.x or earlier: Upgrade to version 10.4.10 or later.
Drupal 10.5.x: Upgrade to version 10.5.10 or later.
Drupal 10.6.x: Upgrade to version 10.6.9 or later.
Drupal 11.0.x or 11.1.x: Upgrade to version 11.1.10 or later.
Drupal 11.2.x: Upgrade to version 11.2.12 or later.
Drupal 11.3.x: Upgrade to version 11.3.10 or later.

How to find potentially vulnerable systems with runZero #

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=Drupal AND product:=Drupal

Written by Matthew Kienow

Matthew Kienow is a software engineer and security researcher. Matthew previously worked on the Recog recognition framework, AttackerKB as well as Metasploit's MSF 5 APIs. He has also designed, built, and successfully deployed many secure software solutions; however, often he enjoys breaking them instead. He has presented his research at various security conferences including DerbyCon, Hack In Paris, and CarolinaCon. His research has been cited by CSO, Threatpost and SC Magazine.

More about Matthew Kienow

Explore more

Watch Now • On Demand

Vulnerability management is broken: what's the fix?

HD Moore and Omdia analyst Rik Turner discuss why traditional vulnerability management is struggling in modern IT infrastructures, why CVEs don’t tell the full story, and why prioritization alone isn’t enough to close critical security gaps.

Watch Now