Find notable cyber news and cases, enriched with sources, timelines, and signals.

Drupal core security update for CVE-2026-9082

Security Patch Release
First reported
Last updated
Happening score
H score 74
1 unique sources, 2 articles

Summary

Hide ▲

Drupal released security updates for CVE-2026-9082, a highly critical SQL injection flaw affecting PostgreSQL-backed sites, and urged administrators to upgrade immediately. The update covers multiple Drupal branches, including 10.x and 11.x, and also includes fixes for upstream dependencies such as Symfony and Twig. The advisory matters because the flaw is unauthenticated and exploit attempts were already being detected in the wild.

Related Happenings

JCE Pro 2.9.99.6 patch for CVE-2026-48907

Security Patch Release
H score46 First: 17.06.2026 13:09 Last: 17.06.2026 13:09 Sources 1

About this happening: **JCE security team** released **JCE Pro 2.9.99.6** in **early June 2026** to fix **CVE-2026-48907** in the **Widget Factory Joomla Content Editor (JCE) plugin**. The update addre...

Ivanti Sentry patch release for CVE-2026-10520 and CVE-2026-10523

Security Patch Release
H score54 First: 10.06.2026 09:26 Last: 10.06.2026 09:26 Sources 1

About this happening: **Ivanti** released a **patch bundle** for **Sentry** after identifying **two critical vulnerabilities** in the secure mobile gateway appliance, including **CVE-2026-10520** and *...

Gogs 0.14.3 security update for argument injection flaw

Security Patch Release
H score60 First: 08.06.2026 19:18 Last: 08.06.2026 19:18 Sources 1

About this happening: The **Gogs maintainers** shipped **version 0.14.3** to fix a critical **argument injection** zero-day that could let attackers compromise **Internet-facing instances** and reach *...

LiteSpeed cPanel user-end plugin urgent security update (CVE-2026-48172)

Security Patch Release
H score42 First: 27.05.2026 13:06 Last: 27.05.2026 13:06 Sources 1

About this happening: LiteSpeed released **urgent security updates** for the **cPanel user-end plugin** after **CVE-2026-48172** was found to be **actively exploited**, reducing exposure for systems ru...

Latest development: 16.06.2026 13:47

CISA added CVE-2026-48172/CVE-2026-54420 in the LiteSpeed cPanel user-end plugin to the Known Exploited Vulnerabilities Catalog and ordered Federal Civilian Executive Branch agencies to secure affected servers within three days under BOD 26-04. The affected plugin versions before 2.4.8 are described as actively exploited, with FTP or web shell access enabling root escalation on shared hosting servers running CloudLinux/CageFS.

CISA orders FCEB patching for CVE-2026-9082

Public Sector Action
H score70 First: 26.05.2026 11:46 Last: 26.05.2026 11:46 Sources 1

How related: On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their systems by midnight on Wednesday, May 27, as mandated by Binding Operational Directive (BOD) 22-01.

About this happening: **CISA** added **CVE-2026-9082** to the **KEV Catalog** and ordered **FCEB agencies** to patch **Drupal** by **May 27**, turning an actively exploited flaw into a mandatory federa...

Timeline

  1. 22.05.2026 03:00 2 articles · 1mo ago

    Drupal confirms exploitation attempts for CVE-2026-9082

    Detection Ioc Update

    Drupal updated its advisory on May 22, 2026 to say exploitation attempts were being detected in the wild and reiterated that website owners and administrators should upgrade immediately to the latest version available for their branch, including Drupal 10.4.x before 10.4.10, 10.5.x before 10.5.10, 10.6.x before 10.6.9, and 11.0.x / 11.1.x before 11.1.10, with bundled fixes for upstream dependencies such as Symfony and Twig.

    Show sources
  2. 18.05.2026 03:00 2 articles · 1mo ago

    Drupal issues PSA for CVE-2026-9082

    Initial Disclosure

    Drupal published a PSA on May 18, 2026 warning administrators to reserve time for core updates after announcing CVE-2026-9082, a highly critical SQL injection flaw in Drupal’s database abstraction API that affects PostgreSQL sites and may be exploited within hours or days.

    Show sources