TechnologyUS

CVE-2026-9082

Highly Critical SQL injection (CVSS 6.5) in Drupal Core affecting PostgreSQL sites.

Last refreshed: 29 May 2026 · Appears in 1 active topic

Key Question

Why were 6,000 Drupal sites attacked within 48 hours of this SQL injection being disclosed?

Timeline for CVE-2026-9082

#522 May

Mentioned in: Drupal SQL flaw hits PostgreSQL sites

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is CVE-2026-9082 and does it affect my Drupal site?: CVE-2026-9082 is a Highly Critical SQL injection in Drupal Core's database layer, rated 23/25. It affects only Drupal sites using a PostgreSQL backend (less than 5% of installs). Sites on MySQL or MariaDB are not affected.Source: Drupal security advisory, May 2026
How fast were Drupal sites exploited after CVE-2026-9082 was published?: Mass exploitation began within 48 hours of the 23 May 2026 advisory. Imperva recorded over 15,000 exploitation attempts against roughly 6,000 sites in 65 countries.Source: Imperva threat telemetry, May 2026
Is a CVSS 6.5 score considered dangerous for CVE-2026-9082?: The CVSS 6.5 score is medium by numeric convention, but Drupal's own rating system scored the flaw 23/25 (Highly Critical). The disconnect reflects that CVSS captures generic severity; Drupal's rating weights the specific affected population and exploitability in context.Source: event

Background

CVE-2026-9082 is a SQL injection vulnerability in Drupal's core database-abstraction API, disclosed by the Drupal Security Team on 23 May 2026 with a severity rating of Highly Critical 23/25 and a CVSS score of 6.5. The flaw exists specifically in how Drupal constructs queries when running on a PostgreSQL backend — a configuration used by fewer than 5% of Drupal sites globally but disproportionately present in government portals and regulated environments. An unauthenticated attacker can exploit the flaw to inject arbitrary SQL, enabling data exfiltration or further compromise of the underlying database.

CISA added CVE-2026-9082 to the Known Exploited Vulnerabilities catalogue on 22 May 2026, imposing a five-day federal remediation deadline of 27 May. Mass exploitation began within 48 hours of the advisory, with Imperva telemetry documenting more than 15,000 attempts against approximately 6,000 sites across 65 countries. The compressed window between KEV listing and deadline, combined with the immediate onset of mass scanning, Left many site operators with insufficient time to apply the patch through standard change-management processes.

The Velocity of exploitation — mass automated scanning within hours of a public advisory — is consistent with the industrialisation of vulnerability weaponisation. CVE-2026-9082 is a case study in how a moderate CVSS score (6.5) can mask a real-world severity much higher than the numeric rating implies when the affected population is systematically high-value (government, healthcare, finance).

Source Material

CISA KEV Catalogue Drupal Security Advisories

How the World Sees Them

United States

CISA's 5-day KEV deadline created a compliance emergency for federal Drupal operators; the short window exposed gaps in automated patch-deployment for legacy CMS infrastructure.

European Union

EU government portals on PostgreSQL-backed Drupal deployments faced NIS2 incident-notification obligations if exploitation succeeded before patching.

Security researchers

The flaw is a case study in CVSS score divergence from real-world severity; PostgreSQL selectivity meant high-value government targets were disproportionately at risk.