Critical Drupal SQL Injection (CVE‑2026‑9082) Actively Exploited, Threatening Millions of Websites
What Happened — Drupal disclosed a “highly critical” SQL‑injection flaw (CVE‑2026‑9082) in its database abstraction layer. Within days of the advisory, threat actors began probing vulnerable sites, and exploitation attempts have been observed in the wild. The vulnerability can be triggered without authentication and may lead to remote code execution, privilege escalation, and data theft.
Why It Matters for TPRM —
- Third‑party web applications built on Drupal can become an attack surface for your organization’s data.
- Exploitation can lead to credential leakage or ransomware pivot points that affect downstream supply‑chain partners.
- Unpatched legacy Drupal versions (8/9) are still in use by many vendors, increasing residual risk.
Who Is Affected — Technology/SaaS providers, media & publishing firms, e‑commerce platforms, government portals, and any organization that relies on Drupal‑based web properties.
Recommended Actions —
- Verify that all Drupal instances in your vendor ecosystem are running the latest patched releases for their branch.
- Prioritize remediation for sites still on PostgreSQL‑backed installations, as they are directly exploitable.
- Conduct a rapid inventory of third‑party services that embed Drupal, and enforce patch‑management SLAs.
Technical Notes — The flaw resides in Drupal’s database abstraction API, allowing crafted HTTP requests to inject arbitrary SQL on PostgreSQL back‑ends. It is exploitable without credentials and can lead to remote code execution. Affected versions include Drupal 8.9.x, 10.4.x < 10.4.10, 10.5.x < 10.5.10, 10.6.x < 10.6.9, 11.0.x/11.1.x < 11.1.10, 11.2.x < 11.2.12, and 11.3.x < 11.3.10. Source: BleepingComputer