Critical SQL Injection in Drupal Core (CVE‑2026‑9082) Added to CISA KEV Catalog Threatens PostgreSQL‑Backed Sites
What It Is – Drupal Core contains a high‑severity SQL injection (CVE‑2026‑9082) that allows unauthenticated attackers to inject arbitrary SQL on sites using PostgreSQL. The flaw resides in the query‑sanitisation API and can lead to data leakage, privilege escalation, or remote code execution.
Exploitability – CVSS 9.8 (Critical). CISA placed the flaw in its Known Exploited Vulnerabilities (KEV) catalog after observing thousands of exploitation attempts in the wild within 48 hours of disclosure. Public PoCs and scanner signatures are already available.
Affected Products – Drupal Core (all versions prior to the May 20 2026 patch) when configured with PostgreSQL as the backend database.
TPRM Impact – Organizations that rely on Drupal for public‑facing portals, intranets, or as a SaaS component face immediate supply‑chain risk. Compromise of a Drupal instance can expose customer data, credentials, and internal services, potentially cascading to downstream partners.
Recommended Actions –
- Verify that all Drupal installations are running the May 20 2026 security patch (or later).
- Immediately apply the patch to any unpatched Drupal sites, prioritising those using PostgreSQL.
- Conduct a rapid inventory of third‑party services that host Drupal‑based applications and confirm patch status.
- Deploy Web Application Firewalls (WAF) with rules to block the known malicious request patterns identified by Imperva.
- Review database logs for anomalous queries indicative of exploitation attempts.
Source: Security Affairs