Skip to main content
Emerging ThreatsMalware & Ransomware

Drupal Core SQL Injection Flaw Actively Exploited

A Drupal website's backend system on a minimalist desk with code on a laptop screen.

"exploit attempts are now being detected in the wild," Drupal acknowledged in an update on May 22, 2026.

CVE-2026-9082: a concise technical risk

The vulnerability identified as CVE-2026-9082 (CVSS score: 6.5) is an SQL injection flaw in Drupal Core that affects all supported Drupal Core versions. According to the advisory that prompted the urgency, the flaw "could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API." The combination of SQL injection with a path to privilege escalation and remote code execution elevates the potential impact beyond mere data leakage to full compromise of affected sites.

Rapid patching, then rapid exploitation

Drupal released fixes for the flaw and, less than two days later, reported that exploit attempts were being detected in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-9082 to its Known Exploited Vulnerabilities (KEV) catalog on the basis of evidence that the flaw is actively exploited. The public timeline — patch, then probes and attempted exploitation within 48 hours — underscores the velocity with which attackers and scanners pursued newly disclosed weaknesses.

Observed activity: scale, targets, and tactics

Thales-owned Imperva reported observing more than 15,000 attack attempts, targeting almost 6,000 individual sites across 65 countries. Imperva said "attacks are primarily targeting gaming and financial services sites so far, at collectively almost 50% of all attacks." Most of the observed activity has been reconnaissance and validation — probing vulnerable endpoints rather than immediate, large-scale data theft — but Imperva warned that "the nature of the vulnerability means successful exploitation could quickly move from probing to data extraction or privilege escalation."

Affected releases and operational guidance

Drupal published patched releases for multiple branches. Patches are available for Drupal 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10. For Drupal 9.5 and Drupal 8.9, Drupal indicated that manual patching is required. Federal Civilian Executive Branch (FCEB) agencies were recommended to apply the fixes by May 27, 2026, "for optimal protection." The advisory emphasizes that remediation is available across the supported branches but that the method of delivery differs for some older, still-supported releases.

What this means for technologists, FCEB agencies, and gaming & financial services sites

  • Technologists and security teams: Expect a short window between patch publication and active scanning; prioritize verification of Drupal Core version, confirm whether instances are PostgreSQL-backed (the observed activity often probed PostgreSQL-backed configurations), and apply the appropriate patch or manual update per your version.
  • Federal Civilian Executive Branch agencies: The recommendation to remediate by May 27, 2026, places near-term operational deadlines on system owners and integrators; agencies will need to validate patch deployment across enterprise assets and monitor for attempted exploitation recorded in intrusion detection and web logs.
  • Gaming and financial services sites: Given that these sectors accounted for almost half of observed attack attempts, organizations in those verticals should assume heightened interest and increase monitoring and incident readiness even if initial activity appears to be reconnaissance.

Two concrete threads run through the record: defenders now have patches that map to specific releases, and attackers moved quickly from publication to probing at global scale. What remains unsettled — and is material to response planning — is how the vulnerability is being exploited in specific incidents and what attackers' end goals are; the public record notes both remain unknown. Until forensic detail emerges, the practical takeaway is simple: identify affected Drupal Core installations, apply the listed updates or manual patches where required, and treat post-patch monitoring as part of remediation rather than an afterthought.

Original story