Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-9082, a critical SQL injection vulnerability in Drupal Core, to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. The vulnerability, which carries a CVSS score of 6.5, affects all supported versions of Drupal Core. Attackers can exploit this flaw to inject arbitrary SQL commands, potentially leading to unauthorized data access, data manipulation, or complete database compromise. Drupal released a security update to patch this vulnerability prior to CISA's announcement, but organizations that have not yet applied the patch are at immediate risk. CISA's KEV listing mandates that federal civilian executive branch agencies remediate the vulnerability by a specified deadline, and strongly recommends that all organizations prioritize patching. The active exploitation underscores the urgency for Drupal site administrators to update their installations promptly to prevent potential breaches.
Active exploitation of this SQL injection flaw puts unpatched Drupal sites at immediate risk of data breaches.