Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: drupal (4 articles)Clear

CISA emergency directive: federal agencies must patch Drupal CVE-2026-9082 by midnight May 27; Imperva sees 15K attacks across 65 countries

CISA has given US federal civilian agencies a midnight Wednesday May 27 deadline to patch CVE-2026-9082, the highly critical Drupal SQL injection added to its Known Exploited Vulnerabilities catalog on Friday. Imperva says it has now observed 15,000+ attack attempts targeting nearly 6,000 individual Drupal sites across 65 countries since disclosure, with gaming and financial services taking almost half. Shadowserver tracks ~670 unpatched Drupal instances still exposed online (272 in North America, 273 in Europe). CISA's directive is mandatory only for FCEB agencies under BOD 22-01, but the agency strongly urges all organizations to patch immediately.

Check
Inventory Drupal sites by branch and version, especially PostgreSQL-backed deployments. FCEB agencies: confirm patch is applied by midnight May 27. Check Imperva and Shadowserver data for any of your IPs.
Affected
All supported Drupal 11.x and 10.x branches before the patched releases (11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, 10.4.10). 6,000 sites already targeted across 65 countries.
Fix
Patch immediately. Apply WAF rules blocking Drupal SQL injection patterns. FCEB agencies must remediate by midnight tonight per BOD 22-01. Prioritize PostgreSQL-backed deployments.

Drupal critical SQL injection CVE-2026-9082 now actively exploited in PostgreSQL sites, added to CISA KEV - patch immediately

Drupal has issued an update to its highly critical PSA-2026-05-18 advisory confirming that exploit attempts for CVE-2026-9082 are now being detected in the wild. The bug is an SQL injection in Drupal's database abstraction API that lets unauthenticated requests trigger arbitrary SQL on sites running PostgreSQL, with possible escalation to RCE, privilege escalation, and information disclosure. Drupal rates it 23 out of 25 internally though NIST's CVSS v3 score is a mismatched 6.5. CISA added it to KEV on May 22. Affected versions cover Drupal 8.9.x and all 10.x and 11.x branches up to 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10.

Check
Inventory Drupal sites, confirm core version, and identify PostgreSQL deployments (highest impact). Search web access logs for unusual database errors or SQL-pattern requests since 2026-05-20.
Affected
Drupal core 8.9.x, 10.4.x before 10.4.10, 10.5.x before 10.5.10, 10.6.x before 10.6.9, and all 11.x before 11.1.10/11.2.12/11.3.10. PostgreSQL backends face RCE; MySQL still needs the upgrade for Symfony/Twig.
Fix
Upgrade to the patched branch immediately. FCEB agencies must remediate by June 12 per CISA KEV. Apply WAF rules blocking suspicious SQL injection patterns until the patch lands.

Drupal ships highly critical PostgreSQL RCE fix across 11.x and 10.x - SA-CORE patches now live, Drupal 7 unaffected

Drupal has shipped the highly critical core security release teased by PSA-2026-05-18. The flaw lets attackers achieve remote code execution on Drupal sites running PostgreSQL backends. Fixed versions are 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10. The releases for supported branches also pull in upstream Symfony and Twig security fixes, making the upgrade essential even on MySQL deployments. Best-effort manual patches are available for end-of-life Drupal 9.5 and 8.9. Drupal 7 is not affected. The Drupal Security Team had warned that working exploits could follow within hours of disclosure, so administrators should patch now.

Check
Inventory Drupal sites, confirm core version, and identify PostgreSQL-backed deployments (highest-impact path). Check for unusual database queries or admin-account changes during the May 20 disclosure window.
Affected
Drupal core 11.3.x, 11.2.x, 11.1.x, 10.6.x, 10.5.x, 10.4.x. Best-effort patches for EOL 9.5 and 8.9. Drupal 7 not affected. PostgreSQL backends face RCE; MySQL deployments still need the upgrade.
Fix
Upgrade Drupal core to 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, or 10.4.10 immediately. For EOL 9.5 and 8.9, apply the manual patches and plan migration to a supported branch.

Drupal shipping highly critical core security update today (May 20, 17:00-21:00 UTC) - PSA-2026-05-18, severity 20/25, unauthenticated

Drupal is releasing an emergency core security update on May 20 between 17:00 and 21:00 UTC. Pre-disclosure advisory PSA-2026-05-18 rates the issue 'highly critical' (20 of 25 on Drupal's scoring) and notes access complexity 'None' and authentication 'None' - meaning the underlying flaw is unauthenticated and easy to trigger. Patches will land for the supported 11.3.x, 11.2.x, 10.6.x, and 10.5.x branches, plus emergency patches for EOL 11.1.x and 10.4.x. Drupal 7 is not affected. Drupal 8 and 9 will only get best-effort manual patch files. The Drupal Security Team warns working exploits may follow within hours of disclosure.

Check
Inventory all Drupal sites and their exact versions. Flag any site on Drupal 8 or 9 since these need manual best-effort patches and a planned upgrade.
Affected
All supported Drupal core 11.x and 10.x; pre-patched 11.1.x and 10.4.x EOL branches available; Drupal 8/9 best-effort only. Drupal 7 is not affected.
Fix
Pre-upgrade to 11.1.9 or 10.4.9 today before the security release lands. Apply the patch the moment it ships and plan an upgrade to 11.3 or 10.6 within the next quarter.