NewsSecurity Vulnerabilities

Exploitation of Critical SQL Injection Vulnerability in Drupal (CVE-2026-9082)

CVE number – CVE-2026-9082

A critical vulnerability in the Drupal content management system is being actively exploited, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalogue.

Tracked as CVE-2026-9082 and rated 9.8 (CVSS), the flaw enables unauthenticated attackers to execute arbitrary SQL injection through specially crafted requests. The issue stems from improper handling of special elements within Drupal Core’s database extraction API and affects Drupal sites that use PostgreSQL databases.

Drupal disclosed the vulnerability and released patches on May 20, later updating its advisory on May 22 after confirming evidence of exploitation attempts. CISA subsequently set a May 27 remediation deadline for Federal Civilian Executive Branch (FCEB) agencies. According to Imperva Security, more than 15,000 exploitation attempts have been detected, with the majority targeting organizations in the United States across the gaming, financial services, technology, and business sectors.

Given the severity of the vulnerability, Drupal recommends upgrading to the latest supported release specified in its advisory. The project has also issued backported fixes for several end-of-life versions to help affected organizations mitigate the risk.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.