Latest Cyber Security News

You are here: Home / General Cyber Security News / Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV
May 23, 2026

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw impacting Drupal Core to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerability in question is CVE-2026-9082 (CVSS score: 6.5), an SQL injection vulnerability affecting all supported versions of Drupal Core.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


“Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API,” CISA said.

News of exploitation arrives less than two days after Drupal released fixes for the flaw. It’s currently not known how the vulnerability is being exploited, and what the end goals of those attacks are.

Cybersecurity

Patches are available for the following versions –

  • Drupal 11.3.10
  • Drupal 11.2.12
  • Drupal 11.1.10
  • Drupal 10.6.9
  • Drupal 10.5.10
  • Drupal 10.4.10
  • Drupal 9.5 (Manual patching required)
  • Drupal 8.9 (Manual patching required)

In an update to its advisory on May 22, 2026, Drupal acknowledged that “exploit attempts are now being detected in the wild.” Thales-owned Imperva said it has observed over 15,000 attack attempts targeting almost 6,000 individual sites across 65 countries.

“Attacks are primarily targeting gaming and financial services sites so far, at collectively almost 50% of all attacks,” the company said. “Most of the observed activity so far appears to be probing.”

“This pattern suggests attackers and scanners are primarily attempting to identify exposed Drupal sites running vulnerable PostgreSQL-backed configurations. While the activity is currently dominated by reconnaissance and validation, the nature of the vulnerability means successful exploitation could quickly move from probing to data extraction or privilege escalation.”

Federal Civilian Executive Branch (FCEB) agencies have been recommended to apply the fixes by May 27, 2026, for optimal protection.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.


Some parts of this article are sourced from:
thehackernews.com

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *