Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV

Source: The Hacker News — 23 May 2026

What we are tracking

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw impacting Drupal Core to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2026-9082 (CVSS score: 6.5), an SQL injection vulnerability affecting all supported versions of Drupal Core. "Drupal Core

RingSafe analysis

India’s NIC-hosted state-government portals, university CMSes (DU, JNU, IIT departmental sites), and a long tail of public-sector communication properties run heavily on Drupal 9, 10, and 11. With CVE-2026-9082 now on CISA’s Known Exploited Vulnerabilities catalogue, mass-exploitation scanning typically reaches Indian ASNs within 48–72 hours of the first wave — treat this as a same-week patching event, not a quarter-end task. Map to OWASP A03:2021 (Injection) and MITRE ATT&CK T1190 (Exploit Public-Facing Application) with T1505.003 (Web Shell) as the likely follow-on once SQLi escalates to file write. Under DPDP Section 8, any unpatched Drupal node holding citizen registration, e-services, or grievance data is breach-notification-relevant the moment compromise is confirmed. Pull Drupal versions from your CMDB tonight; patch every node by week’s end; assume compromise on any node still unpatched past Monday.

Read the original report

Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV → at The Hacker News