Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw impacting Drupal Core to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2026-9082 (CVSS score: 6.5), an SQL injection vulnerability affecting all supported versions of Drupal Core. "Drupal Core
Analysis Summary
# Vulnerability: Drupal Core SQL Injection (Actively Exploited)
## CVE Details
- **CVE ID:** CVE-2026-9082
- **CVSS Score:** 6.5 (Medium/Critical as updated in descriptive text)
- **CWE:** CWE-89 (SQL Injection)
## Affected Systems
- **Products:** Drupal Core
- **Versions:**
- Drupal 11.x (prior to 11.1.10, 11.2.12, 11.3.10)
- Drupal 10.x (prior to 10.4.10, 10.5.10, 10.6.9)
- Drupal 9.5 and 8.9 (Unsupported/End-of-life)
- **Configurations:** Systems utilizing PostgreSQL-backed configurations appear to be the primary target for current exploitation activity.
## Vulnerability Description
CVE-2026-9082 is a critical SQL injection vulnerability residing within the Drupal Core database abstraction API. The flaw stems from insufficient sanitization of specially crafted requests sent to the API. Because the database abstraction layer is a foundational component of the CMS, successful injection can lead to privilege escalation to administrator levels and, subsequently, Remote Code Execution (RCE).
## Exploitation
- **Status:** Exploited in the wild (Added to CISA KEV on May 22, 2026).
- **Complexity:** Medium (requires knowledge of database abstraction API inputs).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Full database access and data extraction).
- **Integrity:** High (Privilege escalation and unauthorized modifications).
- **Availability:** High (Potential for system takeover via RCE).
## Remediation
### Patches
Update to the following versions immediately:
- Drupal 11.3.10
- Drupal 11.2.12
- Drupal 11.1.10
- Drupal 10.6.9
- Drupal 10.5.10
- Drupal 10.4.10
### Workarounds
- **Manual Patching:** Users on Drupal 9.5 and 8.9 must apply manual security patches as these versions are officially unsupported.
- **Web Application Firewall (WAF):** Ensure WAF rules are updated to block SQL injection patterns targeting Drupal endpoints.
## Detection
- **Indicators of Compromise:** Look for unusual SQL queries in database logs, particularly those involving the PostgreSQL backend. Monitor for unauthorized creation of administrative users.
- **Detection methods and tools:** Imperva and other security vendors have released signatures to detect reconnaissance and probing attempts. Approximately 15,000 attack attempts have been recorded targeting gaming and financial sectors.
## References
- **Vendor Advisory:** hxxps://www[.]drupal[.]org/sa-core-2026-004
- **CISA KEV Catalog:** hxxps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Security Research:** hxxps://thehackernews[.]com/2026/05/drupal-core-sql-injection-bug-actively.html
- **Technical Analysis:** hxxps://www[.]imperva[.]com/blog/imperva-customers-protected-against-cve-2026-9082-in-drupal-core/