HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical Drupal SQL Injection (CVE-2026-9082) Actively Exploited, Threatening Thousands of Sites

A critical SQL injection (CVE‑2026‑9082) in Drupal’s core API is being exploited in the wild within two days of its patch release. The flaw affects sites that run PostgreSQL, exposing government, education, media and financial services to data theft and possible remote code execution. Immediate remediation is required for third‑party risk managers.

LiveThreat™ Intelligence · 📅 May 24, 2026· 📰 securityaffairs.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
securityaffairs.com

Critical Drupal SQL Injection (CVE‑2026‑9082) Threatens PostgreSQL‑Backed Sites

What It Is – A newly disclosed SQL injection (CVE‑2026‑9082) in Drupal’s query‑sanitisation API allows unauthenticated attackers to inject arbitrary SQL on sites that use PostgreSQL as the database backend. The flaw can lead to data disclosure, privilege escalation and, in certain configurations, remote code execution.

Exploitability – Exploits appeared within 48 hours of the patch release on May 20 2026. Threat intel firms have logged >15 000 attempts against ~6 000 sites in 65 countries. CVSS v3.1 base score 23/25 (Critical).

Affected Products – Drupal 9/10 core (all versions prior to the May 20 patch) when configured with PostgreSQL. Estimated <5 % of all Drupal installations, but still thousands of global sites.

TPRM Impact – Organizations that rely on Drupal‑powered web portals, intranets, or public‑facing services (government agencies, universities, media outlets, gaming and financial platforms) face immediate supply‑chain risk: potential data breach, credential theft, and service disruption.

Recommended Actions

  • Deploy the May 20 Drupal security patch immediately on all Drupal instances.
  • Verify the database backend; if PostgreSQL is used, confirm the patch is applied and test for successful remediation.
  • Enable Web Application Firewall (WAF) rules that block the known malicious request patterns.
  • Review web server and database logs for anomalous queries or failed login attempts from the last 48 hours.
  • Conduct a rapid inventory of all third‑party Drupal sites in your ecosystem and prioritize patching.
  • Consider temporary mitigation (e.g., read‑only database mode) for high‑risk sites while patching.

Source: Security Affairs – CVE‑2026‑9082: Drupal’s Highly Critical SQL Injection Flaw Is Already Under Active Attack

📰 Original Source
https://securityaffairs.com/192557/security/cve-2026-9082-drupals-highly-critical-sql-injection-flaw-is-already-under-active-attack.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →