Drupal Core SQL Injection Flaw Exploited, Hits CISA List

CISA has added a critical Drupal Core SQL injection flaw, CVE-2026-9082, to its Known Exploited Vulnerabilities catalog after researchers logged over 15,000 attack attempts.

Drupal Core SQL Injection Flaw Exploited, Hits CISA List

Drupal Core SQL injection vulnerability added to CISA KEV catalog

A critical SQL injection flaw in Drupal Core is now under active attack, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog. The speed of exploitation, arriving less than two days after a fix shipped, highlights how quickly attackers move against widely deployed content management systems.

The vulnerability

Tracked as CVE-2026-9082 and carrying a CVSS score of 6.5, the flaw affects all supported versions of Drupal Core. According to CISA, it stems from the platform's database abstraction API, where specially crafted requests can trigger SQL injection that enables privilege escalation and remote code execution. Drupal updated its own advisory on May 22 to confirm that exploit attempts were being seen in the wild. The project did not detail how the attacks are being carried out or what the end goals might be.

Tens of thousands of attempts

Thales-owned Imperva reported observing more than 15,000 attack attempts against nearly 6,000 individual sites across 65 countries. The firm said gaming and financial services sites accounted for roughly half of the activity so far, though most of it appears to be reconnaissance and validation rather than full exploitation. Researchers cautioned that the probing pattern suggests attackers are mapping exposed Drupal sites running vulnerable PostgreSQL-backed configurations, and that the campaign could escalate quickly from scanning to data extraction or privilege escalation.

Patches and deadlines

Fixes are available for Drupal 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10 and 10.4.10, while legacy 9.5 and 8.9 deployments require manual patching. Federal Civilian Executive Branch agencies have been directed to apply the updates by May 27, 2026. Administrators running older or unmaintained installations face the greatest exposure, since attackers tend to concentrate on internet-facing systems that lag behind on updates.

What administrators should do

Security teams are advised to upgrade affected sites immediately, audit logs for suspicious database queries, and prioritize public-facing or PostgreSQL-backed Drupal instances. Where patching cannot happen at once, web application firewall rules can help blunt opportunistic scanning while fixes are scheduled.

Part of a broader surge

The Drupal incident adds to a steady drumbeat of exploitation and infrastructure attacks, including the Megalodon GitHub Actions campaign and the TeamPCP repository breach. Law enforcement has pushed back as well, recently coordinating a global takedown of a criminal VPN service tied to ransomware operators.

Reporting based on coverage from The Hacker News, CISA and Imperva.

Category: Cyber Security

Tags: Security Cybersecurity Supply Chain

Related Articles