A critical security vulnerability affecting Drupal Core is now being actively exploited across the internet, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog.
Tracked as CVE-2026-9082, the vulnerability involves a dangerous SQL injection weakness that could allow attackers to escalate privileges and potentially execute remote code on vulnerable Drupal websites.
Drupal Confirms Active Exploitation
The flaw impacts all supported versions of Drupal Core and was publicly patched only days before widespread attack activity was detected.
According to security advisories, attackers can abuse specially crafted requests interacting with Drupal’s database abstraction API to manipulate backend database operations.
Drupal developers later updated their advisory to confirm that exploitation attempts were already occurring in the wild shortly after the patches were released.
Thousands of Attack Attempts Detected
Security company Imperva reported observing more than 15,000 attack attempts targeting nearly 6,000 Drupal websites across 65 countries.
Researchers noted that gaming platforms and financial services websites currently account for nearly half of the observed attacks.
Most activity appears focused on reconnaissance and vulnerability validation, where attackers scan systems to identify exposed Drupal installations using vulnerable PostgreSQL-backed configurations.
However, experts warn that successful exploitation could rapidly escalate into:
- Data theft
- Privilege escalation
- Website compromise
- Remote code execution
- Full server takeover
Patched Versions Released
Security updates have been issued for multiple Drupal release branches, including:
- Drupal 11.3.10
- Drupal 11.2.12
- Drupal 11.1.10
- Drupal 10.6.9
- Drupal 10.5.10
- Drupal 10.4.10
Older Drupal 9.5 and Drupal 8.9 installations require manual patching procedures.
Administrators are strongly advised to update immediately, especially for internet-facing websites handling sensitive user data.
CISA Adds Vulnerability to KEV Catalog
Due to confirmed exploitation, the vulnerability has now been added to CISA’s Known Exploited Vulnerabilities catalog, a list used to track security flaws actively targeted by threat actors.
Federal Civilian Executive Branch (FCEB) agencies have been instructed to apply patches no later than May 27, 2026, underscoring the urgency of the threat.
Security Experts Warn of Escalating Risk
Cybersecurity analysts caution that SQL injection vulnerabilities remain among the most dangerous web application weaknesses because they can provide attackers direct interaction with backend databases.
In severe cases, attackers may gain administrative access, extract sensitive records, or chain vulnerabilities together for complete system compromise.
The rapid emergence of exploitation activity following disclosure demonstrates how quickly attackers weaponize newly published vulnerabilities.
Recommended Security Measures
Organizations running Drupal websites should take the following actions immediately:
- Upgrade to the latest patched Drupal version
- Audit logs for suspicious database requests
- Restrict unnecessary database permissions
- Enable web application firewall (WAF) protections
- Monitor for unauthorized administrator accounts
- Conduct post-patch vulnerability scans
Security teams are also encouraged to verify backup integrity and review exposed PostgreSQL configurations.
Conclusion
The active exploitation of CVE-2026-9082 highlights the ongoing threat posed by unpatched content management systems and internet-facing web applications. With thousands of attack attempts already observed globally, rapid patch deployment and proactive monitoring are essential to preventing large-scale website compromise.
