CISA added a recently patched critical Drupal Core security flaw to its Known Exploited Vulnerabilities catalog after evidence showed active exploitation. The flaw, CVE-2026-9082 with a CVSS score of 6.5, is an SQL injection issue affecting all supported Drupal Core versions. It could enable privilege escalation and remote code execution through specially crafted requests using the database abstraction API. Drupal released fixes shortly before CISA’s KEV update, and exploit attempts are now being detected in the wild. Imperva observed more than 15,000 attack attempts targeting nearly 6,000 sites in 65 countries, mainly probing gaming and financial services sites. FCEB agencies were recommended to apply fixes by May 27.
"CISA has added a recently patched critical security flaw impacting Drupal Core to its Known Exploited Vulnerabilities ( KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2026-9082 (CVSS score: 6.5), an SQL injection vulnerability affecting all supported versions of Drupal Core."
""Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API," CISA said."
""exploit attempts are now being detected in the wild." Thales-owned Imperva said it has observed over 15,000 attack attempts targeting almost 6,000 individual sites across 65 countries."
""Attacks are primarily targeting gaming and financial services sites so far, at collectively almost 50% of all attacks," the company said. "Most of the observed activity so far appears to be probing." "This pattern suggests attackers and scanners are primarily attempting to identify exposed Drupal sites running vulnerable PostgreSQL-backed configurations. While the activity is currently dominated by reconnaissance and validation, the nature of the vulnerability means successful exploitation could quickly move from probing to data extraction or privilege escalation.""
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]