Overview
- Drupal disclosed CVE-2026-9082 as a SQL injection flaw in its database abstraction API that allows specially crafted, unauthenticated requests to execute arbitrary SQL on sites using PostgreSQL.
- Drupal updated its advisory on May 22 to say exploit attempts were being detected and security firms reported large-scale scanning and probing of vulnerable sites.
- Thales-owned Imperva reported more than 15,000 attack attempts against nearly 6,000 sites in about 65 countries, with gaming and financial services receiving almost half of the probes and most activity appearing to be reconnaissance.
- Patches were released for multiple supported Drupal branches and manual fixes are available for some end-of-life releases, and CISA has added the bug to its Known Exploited Vulnerabilities list with federal agencies advised to remediate quickly.
- Drupal rated the issue highly critical while NIST assigned a medium CVSS score of 6.5, and the incident raises the risk that probing could quickly escalate to data theft or remote code execution on affected PostgreSQL sites.