Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV
CVE-2026-9082 SQL injection in Drupal Core is actively exploited with 15,000+ attempts against ~6,000 sites. CISA added it to KEV — patch before May 27.
What’s new: A critical SQL injection vulnerability (CVE-2026-9082, CVSS score: 6.5) in Drupal Core has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog due to active exploitation in the wild. The flaw affects all supported versions of Drupal Core and can enable privilege escalation and remote code execution via specially crafted requests. Over 15,000 exploit attempts targeting nearly 6,000 sites globally have already been detected.
Who’s affected
All supported Drupal Core versions are affected: Drupal 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, 10.4.10, and legacy versions 9.5 and 8.9 (which require manual patching). Federal Civilian Executive Branch agencies face a mandatory fix deadline of May 27, 2026.
What to do
- Apply the available security patches for your Drupal Core version immediately — do not wait.
- FCEB agencies must remediate by May 27, 2026 per CISA’s binding operational directive.
- Review server logs for unusual SQL patterns or privilege escalation attempts as indicators of compromise.
