Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV

Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV Ravie LakshmananMay 23, 2026Vulnerability / Website Security The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw impacting Drupal Core to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2026-9082 (CVSS score: 6.5), an SQL injection vulnerability affecting all supported versions of Drupal Core. "Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API," CISA said. News of exploitation arrives less than two days after Drupal released fixes for the flaw. It's currently not known how the vulnerability is being exploited, and what the end goals of those attacks are. Patches are available for the following versions - Drupal 11.3.10 Drupal 11.2.12 Drupal 11.1.10 Drupal 10.6.9 Drupal 10.5.10 Drupal 10.4.10 Drupal 9.5 (Manual patching required) Drupal 8.9 (Manual patching required) In an update to its advisory on May 22, 2026, Drupal acknowledged that "exploit attempts are now being detected in the wild." Thales-owned Imperva said it has observed over 15,000 attack attempts targeting almost 6,000 individual sites across 65 countries. "Attacks are primarily targeting gaming and financial services sites so far, at collectively almost 50% of all attacks," the company said. "Most of the observed activity so far appears to be probing." "This pattern suggests attackers and scanners are primarily attempting to identify exposed Drupal sites running vulnerable PostgreSQL-backed configurations. While the activity is currently dominated by reconnaissance and validation, the nature of the vulnerability means successful exploitation could quickly move from probing to data extraction or privilege escalation." Federal Civilian Executive Branch (FCEB) agencies have been recommended to apply the fixes by May 27, 2026, for optimal protection. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  CISA, cybersecurity, Drupal, Imperva, privilege escalation, remote code execution, SQL Injection, Vulnerability ⚡ Top Stories This Week New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Load More ▼ ⭐ Featured Resources [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage [Webinar] Learn How to Handle Critical SOC Alerts With AI Support Identify Internal Attack Surfaces More Efficiently With a Free Assessment [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk