Drupal is warning customers that it’s already seeing makes an attempt to take advantage of CVE-2026-9082, the extremely vital vulnerability patched this week.
The vulnerability impacts an API designed to make sure that database queries are sanitized to forestall SQL injection.
“A vulnerability on this API permits an attacker to ship specifically crafted requests, leading to arbitrary SQL injection for websites utilizing PostgreSQL databases,” Drupal explains.
The flaw might be exploited by unauthenticated attackers to acquire info and in some instances for privilege escalation and distant code execution.
Drupal predicted that an exploit for CVE-2026-9082 could also be created inside hours or days of disclosure and alerted customers previous to the patch’s launch on Might 20.
The CMS powers lots of of hundreds of internet sites, however the security gap solely impacts websites that use PostgreSQL, and Drupal believes lower than 5% are affected.
Nonetheless, the advisory for CVE-2026-9082 was up to date on March 22 to tell customers that the danger rating has been up to date from 20 to 23 “to mirror that exploit makes an attempt are actually being detected within the wild”. It’s price noting that Drupal makes use of the NIST CMSS scoring system for vulnerabilities and the utmost danger score is 25.
Imperva reported seeing greater than 15,000 exploitation makes an attempt concentrating on practically 6,000 websites throughout 65 nations. Virtually half of the assaults had been aimed toward gaming and monetary providers web sites.
“This sample suggests attackers and scanners are primarily making an attempt to establish uncovered Drupal websites operating susceptible PostgreSQL-backed configurations. Whereas the exercise is at present dominated by reconnaissance and validation, the character of the vulnerability means profitable exploitation might rapidly transfer from probing to information extraction or privilege escalation,” the security agency warned.
‘Extremely vital’ vulnerabilities haven’t been patched in Drupal in years and there haven’t been any experiences of latest Drupal vulnerabilities being exploited within the wild since 2019.
Previous to 2019, the issues dubbed Drupalgeddon and Drupalgeddon2 made headlines for being exploited to compromise many web sites.
