A critical SQL injection vulnerability affecting Drupal Core is now being actively exploited in the wild, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The flaw has officially been added to CISA’s Known Exploited Vulnerabilities catalog, making it a high-priority security issue for organizations running Drupal websites.
The vulnerability, tracked as CVE-2026-9082, affects all supported versions of Drupal Core and can potentially allow attackers to carry out privilege escalation or remote code execution through specially crafted requests targeting Drupal’s database abstraction API.
The issue was patched only recently, but reports of exploitation appeared within days of the security update release. Researchers have already observed large-scale scanning and attack activity targeting vulnerable Drupal installations across multiple countries.
Security firms monitoring the attacks reported more than 15,000 exploitation attempts against thousands of websites worldwide. Gaming and financial services platforms appear to be among the most targeted sectors so far.
Most observed activity currently seems focused on reconnaissance and validation, where attackers attempt to identify exposed Drupal systems using vulnerable PostgreSQL-backed configurations. However, researchers warn that successful exploitation could quickly escalate into data theft, privilege abuse, or full server compromise.
Patches are available for supported Drupal versions, while older end-of-life branches require manual patching. Organizations running unsupported Drupal installations face increased risk because additional vulnerabilities may still remain unpatched.
Administrators are strongly advised to update affected systems immediately, monitor logs for suspicious database-related requests, review access permissions, and check for unusual activity linked to exploitation attempts.
Cybersecurity companies like IntelligenceX help organizations reduce these risks through vulnerability monitoring, web application security analysis, threat intelligence, and incident response readiness.
For website owners and security teams, the lesson is clear: once a vulnerability enters the KEV catalog and active exploitation begins, delayed patching can quickly turn into a serious security incident.
Top comments (0)