The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw affecting Drupal Core to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This move flags CVE-2026-9082, an SQL injection vulnerability, as an immediate threat requiring attention from organizations utilizing the popular content management system.
The vulnerability, which carries a CVSS score of 6.5, impacts all supported versions of Drupal Core. CISA warns that it could permit privilege escalation and remote code execution through specially crafted requests targeting the database abstraction API. The agency’s inclusion of the flaw in the KEV catalog underscores the urgency for its remediation.
Drupal Core Vulnerability Actively Exploited
The recognition of active exploitation comes less than two days after Drupal released patches for the critical vulnerability. While the precise methods of exploitation and the ultimate objectives of the attackers remain unclear, the speed at which malicious actors have begun targeting this flaw is notable. This pattern suggests a swift response from threat actors upon the disclosure and patching of widely used software.
Drupal’s advisory, updated on May 22, 2026, confirmed that “exploit attempts are now being detected in the wild.” Security analysis from Thales-owned Imperva indicates that over 15,000 attack attempts have been observed, impacting nearly 6,000 individual sites across 65 countries. This widespread activity highlights the interconnectedness and potential attack surface presented by web content management systems.
Targeted Industries and Attack Patterns
Initial observations suggest that gaming and financial services websites are the primary targets, collectively accounting for almost 50% of all observed attacks. The majority of the detected activity appears to be in the reconnaissance and probing phase, according to Imperva. This initial stage is crucial for attackers to identify vulnerable systems before launching more impactful exploits.
The pattern observed, where attackers are primarily seeking Drupal sites running vulnerable PostgreSQL-backed configurations, points towards a specific exploit vector. While current activity is largely reconnaissance, the inherent nature of an SQL injection vulnerability means that successful exploitation could rapidly escalate from probing to more severe actions such as data extraction or privilege escalation. This potential for rapid escalation emphasizes the importance of timely patching.
Mitigation and Federal Agency Deadlines
Drupal has released patches for several versions to address CVE-2026-9082. These include updates for Drupal 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10. For older versions, manual patching is required for Drupal 9.5 and Drupal 8.9. It is critical for all users to apply these fixes as soon as possible to protect their websites.
Federal Civilian Executive Branch (FCEB) agencies have been issued a directive to implement these critical fixes by May 27, 2026. This deadline aims to ensure that government systems are adequately protected against potential exploitation of this SQL injection vulnerability. The inclusion in CISA’s KEV catalog means that federal agencies are subject to mandatory reporting and remediation timelines.
The ongoing exploitation of this Drupal Core vulnerability serves as a stark reminder of the constant threat landscape. Organizations using Drupal, particularly those in the targeted sectors, should prioritize immediate patching. The coming days will likely reveal more about the scope and impact of this ongoing exploitation campaign, and whether the observed reconnaissance activity will mature into more destructive attacks. Monitoring CISA’s KEV catalog and applying vendor-provided security updates remains a fundamental defense strategy for web applications.