Skip to main content

Location Selector EUVDEUVD-2026-43076

| CVE-2026-15081 HIGH
SQL Injection (CWE-89)
2026-07-10 drupal GHSA-rf2g-w6mf-4xjr
7.4
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
7.4 HIGH

Unauthenticated network-reachable SQLi (AV:N/PR:N/UI:N) with high confidentiality and integrity impact; AC:H retained because vendor scoring implies non-trivial preconditions, and A:N as injection does not inherently deny service.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jul 13, 2026 - 19:32 vuln.today
CVSS changed
Jul 13, 2026 - 19:22 NVD
7.4 (HIGH)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:46 cve.org
HIGH 7.4
CVE Published
Jul 10, 2026 - 21:46 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Location Selector allows SQL Injection. This issue affects Location Selector versions: from 0.0.0 to 1.3.0.

AnalysisAI

SQL injection in the Drupal Location Selector contributed module (all releases from 0.0.0 up to and including 1.3.0) lets remote attackers inject arbitrary SQL through improperly neutralized input, exposing and modifying database contents. The CVSS 3.1 base score is 7.4 with a network vector but high attack complexity, and the affected products confirm the Drupal 'location_selector' contrib module rather than Drupal core. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Drupal site using Location Selector module
Delivery
Craft request with SQL payload in module parameter
Exploit
Bypass input neutralization (CWE-89)
Execution
Execute injected SQL against database
Impact
Exfiltrate or modify stored data

Vulnerability AssessmentAI

Exploitation The target Drupal site must have the Location Selector contrib module installed and enabled (versions 0.0.0 through 1.3.0), and the vulnerable input path must be reachable by the attacker; no authentication is required (PR:N) and no user interaction is needed (UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but net moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote, unauthenticated attacker crafts requests to a Drupal page served by the Location Selector module, embedding SQL payloads in an input parameter that the module concatenates into a query. Successful injection lets them read sensitive database contents (user records, session or configuration data) and tamper with stored data. …
Remediation Patch available per vendor advisory (https://www.drupal.org/sa-contrib-2026-072): upgrade the Location Selector module to the fixed release published after 1.3.0 as directed in the security advisory - the exact fixed version was not provided in this dataset, so confirm it on the drupal.org advisory before deploying rather than assuming a number. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all Drupal installations running Location Selector module versions 0.0.0 through 1.3.0 and document their current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43076 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy