## https://sploitus.com/exploit?id=F7AD79BE-7C92-578C-965D-452EF30C9092
# CVE-2026-9082
Passive checker for **CVE-2026-9082 / SA-CORE-2026-004** โ Drupal core SQL injection (PostgreSQL only, anonymous-exploitable).
The script identifies a Drupal version from public endpoints and tells you whether it falls inside one of the vulnerable ranges. **No SQL injection payload is ever sent.** It is meant for authorised triage on your own infrastructure (or with written permission), not for offensive use.
## The advisory in one paragraph
A flaw in Drupal core's database abstraction layer lets an unauthenticated attacker inject arbitrary SQL **when the site uses PostgreSQL**. Impact ranges from information disclosure to RCE depending on the surrounding configuration. Exploit attempts have been observed in the wild since 2026-05-22.
| Branch | Fixed in |
|--------|----------|
| 11.3.x | 11.3.10 |
| 11.2.x | 11.2.12 |
| 11.0.x / 11.1.x | 11.1.10 |
| 10.6.x | 10.6.9 |
| 10.5.x | 10.5.10 |
| 8.9.x / 9.x / 10.4.x and earlier | 10.4.10 (and per-branch backport patches) |
Full advisory:
## What the script does
1. Lightly fingerprints the target ("does this look like Drupal at all?").
2. Tries to recover the version from, in order:
- `/core/CHANGELOG.txt` (Drupal 8+)
- `/CHANGELOG.txt` (Drupal 7 and earlier)
- `X-Generator` HTTP header
- `` in the homepage HTML
3. Compares the version to the vulnerable ranges listed in the advisory.
4. Reports `VULN`, `OK`, or `unknown` and reminds the operator that PostgreSQL is required for the bug to be reachable.
All requests are plain `curl` GET/HEAD calls against documented public files.
## Install
```bash
git clone https://github.com//CVE-2026-9082.git
cd CVE-2026-9082
chmod +x check.sh
```
Requires `bash`, `curl`, `awk`, `grep`, `sort -V`. Tested on macOS and Linux.
## Usage
Single target:
```bash
./check.sh https://drupal.example.org
```
Multiple targets at once:
```bash
./check.sh https://a.example https://b.example
```
From a file (one host per line, `#` comments allowed):
```bash
./check.sh -f targets.txt
```
### Example output
```
[*] https://drupal.example.org
detected version: 10.5.7 (source: CHANGELOG.txt)
[VULN] within vulnerable range for SA-CORE-2026-004 / CVE-2026-9082
note: actual exploitability requires PostgreSQL
postgres: cannot be determined passively -> confirm in settings.php
```
## Limits
- **Hardened sites will return "unknown".** If `CHANGELOG.txt` is blocked and the `X-Generator` header is stripped, the script cannot determine the version remotely. Fall back to `drush status` or `composer show drupal/core` on the server.
- **PostgreSQL is not detectable from the outside.** The script flags weak hints if any, but the only authoritative source is the `'driver'` key in `sites/default/settings.php`.
- **Version-only check.** A version flagged `OK` only means the public version string is patched; it does not audit contrib modules, custom code, or out-of-band Symfony/Twig advisories shipped alongside the same Drupal releases. Update those too.
- **Cached versions can lag reality.** A CDN may serve a stale `CHANGELOG.txt` after the origin has been patched. Re-check from a path that bypasses the CDN if you suspect this.
## Remediation
Upgrade to the relevant fixed release in the table above. The same point releases also bundle coordinated security updates for Symfony and Twig โ apply them even if your site is not on PostgreSQL.
If you cannot upgrade immediately and you are on PostgreSQL, restrict anonymous traffic at the edge (WAF rule on suspicious query strings) as a stop-gap. This is not a substitute for the patch.
## Legal
Only run this against systems you own or have written authorisation to test. Even passive fingerprinting can constitute unauthorised access under some jurisdictions.
## License
MIT โ see `LICENSE`.