CISA adds Drupal Core SQL-injection CVE‑2026‑9082 to Known Exploited Vulnerabilities list

CISA added Drupal Core vulnerability CVE-2026-9082 to its Known Exploited Vulnerabilities catalog on May 22, putting the bug on the U.S. government’s list of flaws with evidence of active exploitation. The catalog entry describes the issue as a SQL injection vulnerability in Drupal Core that could allow privilege escalation and remote code execution through specially crafted requests sent with the database abstraction API. Drupal disclosed the flaw on May 20 in security advisory SA-CORE-2026-004 and rated it “highly critical.” The project said the bug affects sites using PostgreSQL and can be exploited by anonymous users, with possible outcomes including information disclosure, privilege escalation, remote code execution or other attacks. ### Which Drupal sites are actually exposed? Drupal said the SQL injection issue affects sites using PostgreSQL databases, not every Drupal deployment. (cisa.gov) The advisory says the vulnerability sits in Drupal Core’s database abstraction API and can be triggered with specially crafted requests. Affected supported branches listed by Drupal include versions before 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12 and 11.3.10, with best-effort patches also provided for unsupported Drupal 8.9 and 9.5 releases. (drupal.org) Drupal said versions 11.1.x, 11.0.x, 10.4.x and older unsupported branches remain end-of-life and still carry other previously disclosed security vulnerabilities. ### Why did CISA move so quickly? (drupal.org) CISA’s KEV catalog is reserved for vulnerabilities with reliable evidence of active exploitation, according to Binding Operational Directive 22-01. The directive requires Federal Civilian Executive Branch agencies to remediate listed vulnerabilities by the due date CISA assigns. (drupal.org) Drupal updated its advisory on May 22 at 04:30 UTC to say its risk score had been revised “to reflect that exploit attempts are now being detected in the wild.” Later that day, CISA added CVE-2026-9082 to KEV and set a due date of May 27. ### What does KEV listing require from federal agencies? CISA’s catalog entry says agencies should apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. (cisa.gov) For CVE-2026-9082, the entry lists May 22 as the date added and May 27 as the action due date. (drupal.org) BOD 22-01 applies to federal civilian executive branch systems, including systems hosted by third parties on an agency’s behalf, according to CISA. CISA also says private-sector organizations should use the KEV catalog as an input to vulnerability prioritization even though the directive’s deadlines do not formally apply to them. (cisa.gov) ### Were other bugs added around the same time? CISA published a separate alert on May 21 saying it had added two other vulnerabilities to KEV: CVE-2025-34291 in Langflow and CVE-2026-34926 in Trend Micro Apex One (On-Premise). CISA said those additions were also based on evidence of active exploitation. The live KEV catalog page also shows the Drupal entry alongside the Trend Micro and Langflow listings, with the latter two carrying June 4 remediation due dates. (cisa.gov) The catalog page visible on May 23 also includes an Internet Explorer entry near the same section of newly added items. ### What should defenders look at next? Drupal’s advisory says administrators should install fixed releases for supported branches and review whether any user roles can update Twig templates through Views or contributed modules. (cisa.gov) The same advisory notes the coordinated Drupal releases also include security updates for Symfony and Twig. CISA’s next milestone is May 27, the due date it assigned for federal agencies to address CVE-2026-9082. (cisa.gov) Drupal users looking for the vendor remediation details can find version-specific upgrade guidance in advisory SA-CORE-2026-004, while federal agencies are expected to track compliance under BOD 22-01. (drupal.org)