The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added a just lately patched essential security flaw impacting Drupal Core to its Identified Exploited Vulnerabilities (KEV) catalog, based mostly on proof of energetic exploitation.
The vulnerability in query is CVE-2026-9082 (CVSS rating: 6.5), an SQL injection vulnerability affecting all supported variations of Drupal Core.
“Drupal Core comprises a SQL injection vulnerability that might permit for privilege escalation and distant code execution by way of specifically crafted requests despatched with the database abstraction API,” CISA stated.
Information of exploitation arrives lower than two days after Drupal launched fixes for the flaw. It is presently not identified how the vulnerability is being exploited, and what the top targets of these assaults are.
Patches can be found for the next variations –
- Drupal 11.3.10
- Drupal 11.2.12
- Drupal 11.1.10
- Drupal 10.6.9
- Drupal 10.5.10
- Drupal 10.4.10
- Drupal 9.5 (Guide patching required)
- Drupal 8.9 (Guide patching required)
In an replace to its advisory on Could 22, 2026, Drupal acknowledged that “exploit makes an attempt at the moment are being detected within the wild.” Thales-owned Imperva stated it has noticed over 15,000 assault makes an attempt focusing on nearly 6,000 particular person websites throughout 65 international locations.
“Attacks are primarily focusing on gaming and monetary companies websites up to now, at collectively nearly 50% of all assaults,” the corporate stated. “Many of the noticed exercise up to now seems to be probing.”
“This sample suggests attackers and scanners are primarily trying to establish uncovered Drupal websites operating susceptible PostgreSQL-backed configurations. Whereas the exercise is presently dominated by reconnaissance and validation, the character of the vulnerability means profitable exploitation may rapidly transfer from probing to information extraction or privilege escalation.”
Federal Civilian Government Department (FCEB) businesses have been really useful to use the fixes by Could 27, 2026, for optimum safety.
