CISA Adds CVE-2026-9082 to KEV Catalog for Drupal Core
Patch Drupal Core immediately to the latest version that includes CVE-2026-9082 to stop active exploitation.
Patch Drupal Core to the latest version that includes the CVE-2026-9082 fix.
Summary
CISA has added the recently patched CVE-2026-9082 to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. The flaw is a SQL injection that affects every supported version of Drupal Core. It carries a CVSS score of 6.5 and allows attackers to inject arbitrary SQL statements into the database. The vulnerability was discovered and patched earlier this year, but the active exploitation signals a need for immediate action.
Drupal Core developers released a security update that neutralizes the injection vector by sanitizing user input in the database layer. The patch also tightens the authentication checks for database queries. CISA’s inclusion of the flaw in the KEV list signals that the flaw is being actively abused in the wild. Site owners should verify that they are running the latest Drupal Core version and apply the update without delay.
Key changes
- CVE-2026-9082 is a SQL injection affecting all supported Drupal Core versions
- CVSS score 6.5 with evidence of active exploitation
- CISA added the flaw to its KEV catalog
- Patch sanitizes user input and tightens authentication checks
- Site owners must update to the latest Drupal Core version