Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Unauthenticated network-reachable SQLi (AV:N/PR:N/UI:N) with high confidentiality and integrity impact; AC:H retained because vendor scoring implies non-trivial preconditions, and A:N as injection does not inherently deny service.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Location Selector allows SQL Injection. This issue affects Location Selector versions: from 0.0.0 to 1.3.0.
AnalysisAI
SQL injection in the Drupal Location Selector contributed module (all releases from 0.0.0 up to and including 1.3.0) lets remote attackers inject arbitrary SQL through improperly neutralized input, exposing and modifying database contents. The CVSS 3.1 base score is 7.4 with a network vector but high attack complexity, and the affected products confirm the Drupal 'location_selector' contrib module rather than Drupal core. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target Drupal site must have the Location Selector contrib module installed and enabled (versions 0.0.0 through 1.3.0), and the vulnerable input path must be reachable by the attacker; no authentication is required (PR:N) and no user interaction is needed (UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed but net moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote, unauthenticated attacker crafts requests to a Drupal page served by the Location Selector module, embedding SQL payloads in an input parameter that the module concatenates into a query. Successful injection lets them read sensitive database contents (user records, session or configuration data) and tamper with stored data. … |
| Remediation | Patch available per vendor advisory (https://www.drupal.org/sa-contrib-2026-072): upgrade the Location Selector module to the fixed release published after 1.3.0 as directed in the security advisory - the exact fixed version was not provided in this dataset, so confirm it on the drupal.org advisory before deploying rather than assuming a number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all Drupal installations running Location Selector module versions 0.0.0 through 1.3.0 and document their current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43076
GHSA-rf2g-w6mf-4xjr