U.S. CISA adds a flaw in Drupal Core to its Known Exploited Vulnerabilities catalog

A critical SQL injection vulnerability, tracked as CVE-2026-9082, has been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities catalog, with a CVSS score of 9.8, indicating a high severity threat¹. The flaw affects Drupal Core, specifically sites running PostgreSQL databases, and allows unauthenticated attackers to compromise them. Drupal issued a security patch on May 20 to address this vulnerability, but exploitation attempts began shortly after. The CISA's addition of CVE-2026-9082 to its catalog highlights the urgency of patching this vulnerability, as it is being actively exploited. This vulnerability matters to practitioners because it requires immediate attention and patching to prevent potential site compromises, making it a patch-now situation for organizations using affected Drupal Core versions.