CVE-2026-15081

Drupal · Location Selector

A critical SQL injection vulnerability in the Drupal Location Selector module allows unauthenticated attackers to execute arbitrary SQL commands via unsanitized input in Views filters.

Executive summary

The Drupal Location Selector module is affected by a critical SQL injection vulnerability that could allow full database compromise.

Vulnerability

The vulnerability (CWE-89) occurs due to improper neutralization of special elements used in SQL commands. The module fails to properly sanitize user input within its Views filters, allowing an attacker to inject and execute malicious SQL queries.

Business impact

A CVSS score of 9.8 reflects the high risk associated with SQL injection, which can lead to unauthorized data disclosure, data modification, or total destruction of the database. This represents a significant risk to the confidentiality, integrity, and availability of the entire Drupal application.

Remediation

Immediate Action: Update the Location Selector module to version 1.3.0 to resolve the input validation flaws.

Proactive Monitoring: Scan database query logs for suspicious syntax or anomalies that suggest attempts to extract or manipulate table data.

Compensating Controls: Use a Web Application Firewall (WAF) to filter and block common SQL injection patterns in incoming HTTP requests until the module can be updated.

Exploitation status

Public Exploit Available: No (unknown)

Analyst recommendation

The severity of this SQL injection necessitates an immediate update to version 1.3.0. Database security is paramount, and any delay in patching this vulnerability exposes the organization to significant risk of data breach and system compromise.