The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly patched Drupal Core vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after confirming evidence of active exploitation in the wild.
The flaw, tracked as CVE-2026-9082, affects all supported versions of Drupal Core and carries a CVSS severity score of 6.5.
According to CISA, the vulnerability is an SQL injection issue that could allow attackers to escalate privileges and potentially achieve remote code execution through specially crafted requests targeting Drupal’s database abstraction API.
Drupal Releases Emergency Security Updates
The warning comes less than 48 hours after the Drupal security team released patches addressing the vulnerability. The following versions contain the fixes:
- Drupal 11.3.10
- Drupal 11.2.12
- Drupal 11.1.10
- Drupal 10.6.9
- Drupal 10.5.10
- Drupal 10.4.10
- Drupal 9.5 (manual patch required)
- Drupal 8.9 (manual patch required)
In an updated advisory published on May 22, 2026, Drupal confirmed that exploitation attempts are already being observed in real-world attacks.
Thousands of Attack Attempts Detected Worldwide
Cybersecurity firm Imperva, owned by Thales, reported seeing more than 15,000 attack attempts targeting nearly 6,000 Drupal websites across 65 countries.
Researchers noted that attackers are primarily focusing on websites in the gaming and financial services sectors, which together account for almost half of the observed attack activity.
Most attacks currently appear to involve reconnaissance and validation efforts aimed at identifying vulnerable Drupal installations using PostgreSQL-backed configurations.
However, security experts warn that the threat could rapidly escalate beyond scanning activity.
“While the current activity is largely focused on probing vulnerable systems, successful exploitation could quickly lead to data theft, privilege escalation, or remote code execution,” researchers warned.
CISA Urges Immediate Patching
CISA has instructed Federal Civilian Executive Branch (FCEB) agencies to apply the available patches no later than May 27, 2026.
Organizations running Drupal websites are strongly encouraged to update immediately, especially internet-facing systems, to reduce the risk of compromise.
Recommended Actions for Drupal Administrators
- Upgrade Drupal Core to the latest patched version
- Apply manual patches for unsupported branches
- Monitor logs for suspicious database-related requests
- Restrict unnecessary database access
- Enable web application firewall (WAF) protections where possible
Given the ongoing exploitation attempts, delaying updates could leave systems vulnerable to compromise.
