HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Error‑Based SQL Injection Discovered in Drupal Core 10.5.5 (CVE‑2026‑9082) Exposes Database Details

A publicly disclosed proof‑of‑concept exploit (CVE‑2026‑9082) reveals an error‑based SQL injection in Drupal Core 10.5.5’s JSON:API endpoint. Unauthenticated attackers can force PostgreSQL to return error messages that contain arbitrary query results, putting any site running the vulnerable version at risk of data disclosure. Third‑party risk managers should verify patch status across all Drupal‑based vendors.

LiveThreat™ Intelligence · 📅 June 02, 2026· 📰 exploit-db.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
5 sector(s)
Actions
4 recommended
📰
Source
exploit-db.com

Error‑Based SQL Injection Discovered in Drupal Core 10.5.5 (CVE‑2026‑9082) Exposes Database Details

What Happened – A proof‑of‑concept exploit (EDB‑ID 52608) demonstrates an error‑based SQL injection in Drupal Core 10.5.5’s JSON:API endpoint when PostgreSQL is used. By manipulating the filter[my_filter][condition][value] parameter, an attacker can trigger a database error that returns the result of arbitrary SQL sub‑queries, allowing information disclosure such as the PostgreSQL version.

Why It Matters for TPRM

  • Drupal powers thousands of public‑facing websites and intranets; a vulnerable instance can leak internal data to unauthenticated actors.
  • The flaw resides in a core component (JSON:API) that many third‑party integrations rely on, expanding the attack surface across supply‑chain relationships.
  • Exploitation does not require authentication, making it a low‑effort, high‑impact vector for reconnaissance and further compromise.

Who Is Affected – Organizations that run Drupal 10.5.5 (or earlier unpatched versions) on any stack (Docker, Apache, Nginx, etc.), especially those exposing JSON:API to the internet. Typical sectors include technology/SaaS, retail/e‑commerce, government, education, and media.

Recommended Actions

  • Immediately upgrade to Drupal 10.5.6 or later, where the issue is patched.
  • If upgrade is not possible, block or restrict access to the /jsonapi/* endpoints to trusted IP ranges.
  • Review web‑application firewall (WAF) rules for the specific payload pattern (filter[my_filter][condition][value][0||CAST().
  • Conduct a targeted scan for the CVE‑2026‑9082 signature on all Drupal instances in the vendor ecosystem.

Technical Notes – The vulnerability is an error‑based SQL injection (CVE‑2026‑9082) affecting the JSON:API module when PostgreSQL is the backend. The exploit injects a crafted filter key that forces the database to evaluate a sub‑query and return the error message, leaking data such as SELECT version(). No CVE‑2026‑9082 patches were available at the time of disclosure. Source: Exploit‑DB 52608

📰 Original Source
https://www.exploit-db.com/exploits/52608

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →