HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Critical Drupal SQL Injection (CVE‑2026‑9082) Actively Exploited, Threatening Millions of Websites

Drupal’s newly disclosed SQL‑injection flaw (CVE‑2026‑9082) is being actively exploited in the wild. The unauthenticated vulnerability affects a broad range of Drupal versions and can lead to remote code execution. Organizations relying on Drupal‑based web properties must patch immediately to mitigate third‑party risk.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
3 recommended
📰
Source
bleepingcomputer.com

Critical Drupal SQL Injection (CVE‑2026‑9082) Actively Exploited, Threatening Millions of Websites

What Happened — Drupal disclosed a “highly critical” SQL‑injection flaw (CVE‑2026‑9082) in its database abstraction layer. Within days of the advisory, threat actors began probing vulnerable sites, and exploitation attempts have been observed in the wild. The vulnerability can be triggered without authentication and may lead to remote code execution, privilege escalation, and data theft.

Why It Matters for TPRM

  • Third‑party web applications built on Drupal can become an attack surface for your organization’s data.
  • Exploitation can lead to credential leakage or ransomware pivot points that affect downstream supply‑chain partners.
  • Unpatched legacy Drupal versions (8/9) are still in use by many vendors, increasing residual risk.

Who Is Affected — Technology/SaaS providers, media & publishing firms, e‑commerce platforms, government portals, and any organization that relies on Drupal‑based web properties.

Recommended Actions

  • Verify that all Drupal instances in your vendor ecosystem are running the latest patched releases for their branch.
  • Prioritize remediation for sites still on PostgreSQL‑backed installations, as they are directly exploitable.
  • Conduct a rapid inventory of third‑party services that embed Drupal, and enforce patch‑management SLAs.

Technical Notes — The flaw resides in Drupal’s database abstraction API, allowing crafted HTTP requests to inject arbitrary SQL on PostgreSQL back‑ends. It is exploitable without credentials and can lead to remote code execution. Affected versions include Drupal 8.9.x, 10.4.x < 10.4.10, 10.5.x < 10.5.10, 10.6.x < 10.6.9, 11.0.x/11.1.x < 11.1.10, 11.2.x < 11.2.12, and 11.3.x < 11.3.10. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/drupal-critical-sql-injection-flaw-now-targeted-in-attacks/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →