Drupal
Open-source PHP content management system powering ~40% of the web; CVE-2026-9082 SQL injection mass-exploited in May 2026.
Last refreshed: 29 May 2026
Why was a Drupal SQL injection patched in days exploited across 6,000 sites in 65 countries almost immediately?
Timeline for Drupal
Drupal SQL flaw hits PostgreSQL sites
Cybersecurity: Threats and Defences- Is my Drupal site vulnerable to CVE-2026-9082?
- Only Drupal sites using a PostgreSQL database backend are affected. PostgreSQL accounts for fewer than 5% of Drupal installs. Sites using MySQL or MariaDB are not vulnerable. Apply the Drupal security update immediately if you run PostgreSQL.Source: Drupal security advisory, May 2026
- How many Drupal sites were attacked by the CVE-2026-9082 exploit?
- Imperva telemetry recorded over 15,000 exploitation attempts against approximately 6,000 Drupal sites across 65 countries within 48 hours of disclosure on 23 May 2026.Source: Imperva threat intelligence, May 2026
- What does Highly Critical mean in a Drupal security advisory?
- Drupal rates advisories on a scale of 0-25. A rating of 23/25 (Highly Critical) indicates an unauthenticated, remotely exploitable vulnerability with significant data-exfiltration or site-compromise potential. Only a small number of Drupal advisories reach this tier.Source: Drupal security policy
- How do I patch the Drupal SQL injection vulnerability from 2026?
- Update Drupal core to the version released on 23 May 2026 that addresses CVE-2026-9082. The update is available via the standard Drupal update PATH. CISA's 27 May deadline applied to federal agencies; all PostgreSQL-backed Drupal deployments should treat this as urgent.Source:
Background
Drupal is an open-source content management system written in PHP, first released in 2001. It powers a significant share of government, higher-education, and enterprise web presences globally, with estimates of 40-plus million websites running Drupal deployments. Its modular architecture and strong access-control model have made it a preferred CMS for high-security public-sector applications. The Drupal Association governs the project, and the community classifies security advisories on a scale of 0-25, with anything rated 15 and above considered critical.
On 23 May 2026, Drupal disclosed CVE-2026-9082, a SQL injection vulnerability in its core database-abstraction API rated Highly Critical at 23/25 (CVSS 6.5). The flaw affects only sites running on PostgreSQL backends, which represent fewer than 5% of Drupal installs. CISA added the vulnerability to the Known Exploited Vulnerabilities catalogue on 22 May 2026 with a five-day federal remediation deadline of 27 May 2026. Mass exploitation began within 48 hours of disclosure: Imperva telemetry recorded more than 15,000 exploitation attempts across approximately 6,000 sites in 65 countries.
The rapid mass exploitation of a CMS-level SQL injection demonstrates how quickly automated scanners weaponise newly disclosed vulnerabilities. Drupal's Highly Critical rating (23/25) reflects the flaw's unauthenticated remote-exploitability and data-exfiltration potential. Although only PostgreSQL-backed sites are affected, that subset includes a disproportionate share of government portals, which typically specify PostgreSQL for data-sovereignty reasons.
