Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV

CISA has added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog after confirming active exploitation of a critical SQL injection flaw in Drupal Core. The vulnerability affects all supported versions of the content management system.

The flaw scores 6.5 on the CVSS severity scale. SQL injection vulnerabilities allow attackers to manipulate database queries, potentially leading to unauthorized data access, modification, or deletion. In Drupal environments, successful exploitation could expose sensitive content, user credentials, or site configuration data stored in the backend database.

CISA's addition to the KEV catalog indicates real-world attacks are underway. This classification triggers federal agencies operating under executive order requirements to patch affected systems within defined timelines. For private organizations, the listing serves as a warning that adversaries actively exploit this flaw.

All supported Drupal Core versions require immediate patching. Website administrators should apply the security update without delay. The timeline between patch availability and active exploitation reinforces the need for rapid deployment. Delaying updates increases risk of compromise.

Organizations running Drupal should verify their current version against official security advisories and apply patches. Network administrators should monitor logs for suspicious database queries or unexpected database access patterns, which may indicate exploitation attempts. Intrusion detection systems should be configured to flag SQL injection patterns targeting Drupal installations.

The involvement of CISA's KEV program elevates visibility and accountability. Federal contractors and agencies face compliance obligations to address exploited vulnerabilities. Private sector organizations handling sensitive data or critical infrastructure functions should treat this with equivalent urgency.

Drupal powers millions of websites globally, making widespread exploitation possible. Unpatched instances remain vulnerable until administrators take action. Organizations unable to patch immediately should implement Web Application Firewall rules to block SQL injection payloads targeting known Drupal endpoints as a temporary mitigation measure.