Critical Drupal SQL Injection Flaw Under Active Exploitation: CISA Orders Immediate Patching

A critical SQL injection vulnerability in the **Drupal** content management system (CMS) is under active exploitation, prompting the **Cybersecurity and Infrastructure Security Agency (CISA)** to order U.S. government agencies to patch their systems immediately. The flaw, tracked as **CVE-2026-9082**, allows unauthenticated attackers to execute arbitrary SQL injection on **PostgreSQL**-powered sites.

2026-05-26T21:32:23 Critical Drupal SQL Injection Flaw Under Active Exploitation: CISA Orders Immediate Patching

![Drupal](https://www.bleepstatic.com/content/hl-images/2026/05/26/Drupal.jpg) **Drupal**, a popular CMS, is often used by large organizations, including government entities, educational institutions, and media companies, to manage extensive data structures and multi-site installations. ### Vulnerability Details The vulnerability, **CVE-2026-9082**, was discovered by **Google/Mandiant** researcher Michael Maturi in **Drupal's** database abstraction API. It allows unauthenticated attackers to trigger arbitrary SQL injection on **PostgreSQL**-powered sites through specially crafted requests. Successful exploitation could lead to information disclosure, privilege escalation, and remote code execution. The **Drupal** security team classified the flaw as "highly critical" and released patches after detecting exploitation attempts in the wild. ### Exploitation in the Wild According to **Imperva**, over 15,000 attack attempts targeting nearly 6,000 individual sites across 65 countries have been observed since the vulnerability's disclosure. The attacks primarily target gaming and financial services sites. **Shadowserver** is currently tracking nearly 670 unpatched **Drupal** installations exposed online, with the majority located in North America and Europe. ![Unpatched Drupal instances](https://www.bleepstatic.com/images/news/u/1109292/2026/Unpatched%20Drupal%20instances.png) *Unpatched Drupal instances (Shadowserver)* ### CISA's Response On Friday, **CISA** added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog and mandated Federal Civilian Executive Branch (FCEB) agencies to patch their systems by Wednesday, May 27, according to Binding Operational Directive (BOD) 22-01. While BOD 22-01 applies specifically to U.S. federal agencies, **CISA** strongly advises all organizations, including those in the private sector, to apply the **CVE-2026-9082** patches as soon as possible to secure their systems. **CISA** has flagged five **Drupal** vulnerabilities exploited in the wild over the past few years, with two being leveraged in ransomware attacks. ## [The Validation Gap: Automated Pentesting Answers One Question. You Need Six.](https://hubs.li/Q048zztN0) Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. [Download Now](https://hubs.li/Q048zztN0)

📡 Intelligence Feed

Critical Drupal SQL Injection Flaw Under Active Exploitation: CISA Orders Immediate Patching

✏️ Edit Article