
CVE-2026-9082
Highly Critical SQL injection (CVSS 6.5) in Drupal Core affecting PostgreSQL sites.
Last refreshed: 29 May 2026 · Appears in 1 active topic
Why were 6,000 Drupal sites attacked within 48 hours of this SQL injection being disclosed?
Timeline for CVE-2026-9082
Mentioned in: Drupal SQL flaw hits PostgreSQL sites
Cybersecurity: Threats and DefencesWhat is CVE-2026-9082 and does it affect my Drupal site?
How fast were Drupal sites exploited after CVE-2026-9082 was published?
Is a CVSS 6.5 score considered dangerous for CVE-2026-9082?
Background
CVE-2026-9082 is a SQL injection vulnerability in Drupal's core database-abstraction API, disclosed by the Drupal Security Team on 23 May 2026 with a severity rating of Highly Critical 23/25 and a CVSS score of 6.5. The flaw exists specifically in how Drupal constructs queries when running on a PostgreSQL backend — a configuration used by fewer than 5% of Drupal sites globally but disproportionately present in government portals and regulated environments. An unauthenticated attacker can exploit the flaw to inject arbitrary SQL, enabling data exfiltration or further compromise of the underlying database.
CISA added CVE-2026-9082 to the Known Exploited Vulnerabilities catalogue on 22 May 2026, imposing a five-day federal remediation Deadline of 27 May. Mass exploitation began within 48 hours of the advisory, with Imperva telemetry documenting more than 15,000 attempts against approximately 6,000 sites across 65 countries. The compressed window between KEV listing and Deadline, combined with the immediate onset of mass scanning, Left many site operators with insufficient time to apply the patch through standard change-management processes.
The Velocity of exploitation — mass automated scanning within hours of a public advisory — is consistent with the industrialisation of vulnerability weaponisation. CVE-2026-9082 is a case study in how a moderate CVSS score (6.5) can mask a real-world severity much higher than the numeric rating implies when the affected population is systematically high-value (government, healthcare, finance).