CISA has added CVE‑2026‑9082 to its Known Exploited Vulnerabilities catalogue, affecting the Drupal Core product from vendor Drupal. The vulnerability, named the Drupal Core SQL Injection Vulnerability, allows an attacker to achieve privilege escalation and remote code execution by sending specially crafted requests that abuse the database abstraction API.
The flaw is a SQL injection vulnerability that can be exploited over the network without authentication. Successful exploitation lets an attacker run arbitrary SQL commands, potentially leading to full system compromise, privilege escalation, and the execution of malicious code. The vulnerability carries a CVSS base score of 9.8, rated as Critical. According to the supplementary data, a patch is not currently available and the patch status is listed as unknown.
Because the vulnerability is listed in the KEV catalogue, active exploitation has been confirmed in the wild. No known ransomware campaign has been linked to this CVE at this time. CISA has set a remediation deadline of 26 May 2026 for Federal Civilian Executive Branch (FCEB) agencies to address the issue.
CISA’s required action is to apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. While the directive directly binds FCEB agencies, all organisations should review their Drupal Core deployments for exposure and implement any available mitigations promptly.
For full technical details, refer to the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-9082 and the CISA KEV catalogue entry.