The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw affecting Drupal Core to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.
The vulnerability in question is CVE-2026-9082 (CVSS score: 6.5), a SQL injection vulnerability that affects all supported versions of Drupal Core.
“An SQL injection vulnerability exists in Drupal Core that could allow privilege escalation or remote code execution via a specially crafted request sent in the database abstraction API,” CISA said.
News of the exploit comes less than two days after Drupal released a fix for the flaw. It is currently unknown how this vulnerability is exploited and what the ultimate goal of the attack is.
Patches are available for the following versions:
Drupal 11.3.10 Drupal 11.2.12 Drupal 11.1.10 Drupal 10.6.9 Drupal 10.5.10 Drupal 10.4.10 Drupal 9.5 (manual patching required) Drupal 8.9 (manual patching required)
In an advisory update on May 22, 2026, Drupal acknowledged that “exploit attempts are currently being detected in the wild.” Imperva, owned by Thales, said it observed more than 15,000 attack attempts targeting almost 6,000 individual sites in 65 countries.
“The attacks have so far mainly targeted gaming and financial services sites, which together account for almost 50% of all attacks,” the company said. “Most of the activity observed so far appears to be exploration activity.”
“This pattern suggests that attackers and scanners are primarily looking to identify exposed Drupal sites running configurations that leverage vulnerable PostgreSQL. Currently, much of the activity is reconnaissance and verification, but due to the nature of the vulnerability, successful exploitation could quickly move from exploration to data extraction and privilege escalation.”
Federal Civilian Executive Branch (FCEB) agencies are encouraged to apply the fix by May 27, 2026 for optimal protection.
Source link
