Skip to content

Critical Drupal SQL Injection Actively Exploited and Added to CISA Catalog

In short: A SQL injection vulnerability in Drupal Core is actively exploited and added by CISA to the catalog of known exploited vulnerabilities. Imperva has documented over 15,000 attack attempts against 6,000 websites, primarily targeting gaming and financial sites. Security patches are available.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security vulnerability in Drupal Core to its catalog of known exploited vulnerabilities. The SQL injection vulnerability CVE-2026-9082 is already being actively exploited in the wild.

The vulnerability CVE-2026-9082 (CVSS score: 6.5) affects all supported versions of Drupal Core. It enables privilege escalation and remote code execution through specially crafted requests to the database abstraction API. Less than two days after the publication of Drupal patches, active exploitation attempts were already reported. Security firm Imperva (a subsidiary of Thales) has observed over 15,000 attack attempts against nearly 6,000 individual websites in 65 countries. The attacks concentrate primarily on gaming and financial services websites, accounting for approximately 50 percent of all attacks combined. So far, these are predominantly reconnaissance attempts, with attackers and scanners attempting to identify accessible Drupal sites with vulnerable PostgreSQL configurations. Patches are available for Drupal versions 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10. For Drupal 9.5 and 8.9, manual patching is required. U.S. federal agencies are instructed to deploy security patches by May 27, 2026.

Share on: