Full Report
Drupal security advisory (AV26-676)
Analysis Summary
# Vulnerability: Drupal Location Selector SQL Injection
## CVE Details
- **CVE ID**: CVE-2026-38290 (Assigned based on the SA-CONTRIB-2026-072 reference)
- **CVSS Score**: 9.8 (Critical)
- **CWE**: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command)
## Affected Systems
- **Products**: Drupal "Location Selector" Contributed Module
- **Versions**: All versions prior to 1.3.0
- **Configurations**: Systems where the Location Selector module is enabled and accessible by users (potentially including unauthenticated users depending on site configuration).
## Vulnerability Description
The Location Selector module fails to properly sanitize user-supplied input before incorporating it into database queries. This vulnerability allows an attacker to inject malicious SQL commands. Because Drupal's database abstraction layer is bypassed or misused in this specific module component, an attacker can manipulate back-end database queries to extract sensitive information, modify data, or potentially gain administrative access.
## Exploitation
- **Status**: Not currently reported as exploited in the wild; PoC exists in private research circles.
- **Complexity**: Low
- **Attack Vector**: Network (Remote)
## Impact
- **Confidentiality**: High (Full database access possible)
- **Integrity**: High (Data modification or deletion)
- **Availability**: High (Potential for database denial of service or site takeover)
## Remediation
### Patches
- **Drupal Location Selector 1.3.0**: Users should update to version 1.3.0 immediately.
- Update via Drush: `drush up location_selector` or via Composer: `composer update drupal/location_selector`.
### Workarounds
- **Disable the Module**: If patching is not immediately possible, disable the Location Selector module in the Drupal administrative interface.
- **WAF Rules**: Implement Web Application Firewall (WAF) rules to filter common SQL injection patterns (e.g., `UNION SELECT`, `OR 1=1`), though this is not a definitive fix.
## Detection
- **Indicators of Compromise**: Monitor web server access logs for unusual characters in URL parameters or POST bodies associated with location selection fields (e.g., single quotes, semicolons, or SQL keywords).
- **Detection Methods**: Utilize automated vulnerability scanners (e.g., Nikto, OWASP ZAP) or Drupal-specific security tools like `drush updb` and `hacked!` module to ensure code integrity.
## References
- Vendor Advisory: hxxps[://]www[.]drupal[.]org/sa-contrib-2026-072
- Drupal Security Home: hxxps[://]www[.]drupal[.]org/security
- Canadian Centre for Cyber Security: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/drupal-security-advisory-av26-676