Critical SQL Injection in Drupal Core (CVE‑2026‑9082) Actively Exploited, Added to CISA KEV
What It Is – A newly disclosed SQL‑injection flaw (CVE‑2026‑9082) affects all supported releases of Drupal Core. The vulnerability allows an unauthenticated attacker to inject arbitrary SQL commands, potentially exposing or modifying site data.
Exploitability – CISA has placed the bug in its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. A proof‑of‑concept exploit has been published, and the CVSS base score is 6.5 (Medium).
Affected Products – Drupal Core (all supported versions, including 9.x, 10.x, and the latest 11.x release).
TPRM Impact – Many enterprises rely on Drupal‑powered public‑facing sites, portals, and intranets supplied by third‑party agencies or SaaS providers. A breach could cascade to partner data, customer‑facing applications, and downstream services, raising supply‑chain risk.
Recommended Actions –
- Verify that the latest Drupal security patch (released 2026‑05‑20) is applied to every Drupal instance.
- Conduct an immediate inventory of all Drupal‑based assets across your vendor ecosystem.
- Run web‑application firewalls (WAF) with rules that block typical SQL‑i payloads for any unpatched sites.
- Request proof of remediation from third‑party service providers that host or manage Drupal sites on your behalf.
- Update your vulnerability‑management program to treat KEV‑listed items as “high‑priority” for 48‑hour remediation.
Source: The Hacker News – Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV