Drupal Core SQL Injection Vulnerability (CVE-2026-9082) Actively Exploited in the Wild
Summary
Hide ▲
Show ▼
A critical SQL injection vulnerability in Drupal Core (CVE-2026-9082, CVSS 6.5) has been confirmed as actively exploited in the wild, prompting CISA to add it to the Known Exploited Vulnerabilities (KEV) catalog. The flaw affects all supported Drupal Core versions, enabling privilege escalation and potential remote code execution via specially crafted requests leveraging the database abstraction API. Attackers are probing and targeting vulnerable PostgreSQL-backed Drupal sites, with observed activity concentrated in gaming and financial services sectors across 65 countries. Federal agencies have been directed to apply patches by May 27, 2026.
Timeline
-
23.05.2026 10:23 1 articles · 1h ago
Drupal Core SQL Injection (CVE-2026-9082) Added to CISA KEV Catalog Following Active Exploitation
CISA added CVE-2026-9082 to the Known Exploited Vulnerabilities (KEV) catalog on May 23, 2026, following confirmed exploitation in the wild. The vulnerability, which impacts all supported Drupal Core versions, enables SQL injection leading to privilege escalation and remote code execution via the database abstraction API. Patches were released by Drupal less than 48 hours prior, with Imperva reporting over 15,000 attack attempts across 6,000 sites in 65 countries. Federal agencies have been directed to apply fixes by May 27, 2026.
Show sources
- Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV — thehackernews.com — 23.05.2026 10:23
Information Snippets
-
CVE-2026-9082 is a SQL injection vulnerability in Drupal Core with a CVSS score of 6.5, enabling privilege escalation and remote code execution.
First reported: 23.05.2026 10:231 source, 1 articleShow sources
- Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV — thehackernews.com — 23.05.2026 10:23
-
Exploitation attempts have been detected in the wild, including over 15,000 attack attempts targeting nearly 6,000 sites across 65 countries.
First reported: 23.05.2026 10:231 source, 1 articleShow sources
- Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV — thehackernews.com — 23.05.2026 10:23
-
Attackers are primarily targeting gaming and financial services sites, representing almost 50% of observed activity.
First reported: 23.05.2026 10:231 source, 1 articleShow sources
- Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV — thehackernews.com — 23.05.2026 10:23
-
Vulnerable configurations appear to be PostgreSQL-backed Drupal sites, with most activity currently focused on reconnaissance and probing.
First reported: 23.05.2026 10:231 source, 1 articleShow sources
- Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV — thehackernews.com — 23.05.2026 10:23
-
Patches are available for Drupal versions 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, 10.4.10, 9.5, and 8.9 (manual patching required for 9.5 and 8.9).
First reported: 23.05.2026 10:231 source, 1 articleShow sources
- Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV — thehackernews.com — 23.05.2026 10:23
-
CISA has added CVE-2026-9082 to the Known Exploited Vulnerabilities (KEV) catalog, mandating remediation for Federal Civilian Executive Branch (FCEB) agencies by May 27, 2026.
First reported: 23.05.2026 10:231 source, 1 articleShow sources
- Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV — thehackernews.com — 23.05.2026 10:23