CVE-2026-9082 is a SQL injection vulnerability in Drupal Core when Drupal uses PostgreSQL. The vulnerable PostgreSQL Entity Query condition handling can place attacker-controlled array keys into PDO placeholder names, allowing raw SQL to reach PostgreSQL from anonymous HTTP entry points that build entity queries. In exposed configurations, this can lead to arbitrary SQL execution, data disclosure, privilege escalation, and, when the PostgreSQL role has sufficient privileges, remote code execution. The affected Drupal Core versions are 8.9.0 through 10.4.9, 10.5.0 through 10.5.9, 10.6.0 through 10.6.8, 11.0.0 through 11.1.9, 11.2.0 through 11.2.11, and 11.3.0 through 11.3.9, only for sites using PostgreSQL. This module targets the JSON:API filter entry point. It automatically discovers a usable JSON:API resource and filter field, validates the SQL injection by leaking PostgreSQL context, and commits CVE-2026-9082 when the primitive is confirmed. If the PostgreSQL role is superuser, the module writes an Impact agent and an embedded PostgreSQL preload library through large objects, updates PostgreSQL preload settings, reloads the configuration, and launches the agent from a fresh PostgreSQL backend. If the role is not superuser, the module collects bounded PostgreSQL and Drupal evidence, then finishes gracefully after reporting that agent deployment is not possible.
CVE Link
Product Name