Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: federal-mandate (1 article)Clear

CISA emergency directive: federal agencies must patch Drupal CVE-2026-9082 by midnight May 27; Imperva sees 15K attacks across 65 countries

CISA has given US federal civilian agencies a midnight Wednesday May 27 deadline to patch CVE-2026-9082, the highly critical Drupal SQL injection added to its Known Exploited Vulnerabilities catalog on Friday. Imperva says it has now observed 15,000+ attack attempts targeting nearly 6,000 individual Drupal sites across 65 countries since disclosure, with gaming and financial services taking almost half. Shadowserver tracks ~670 unpatched Drupal instances still exposed online (272 in North America, 273 in Europe). CISA's directive is mandatory only for FCEB agencies under BOD 22-01, but the agency strongly urges all organizations to patch immediately.

Check
Inventory Drupal sites by branch and version, especially PostgreSQL-backed deployments. FCEB agencies: confirm patch is applied by midnight May 27. Check Imperva and Shadowserver data for any of your IPs.
Affected
All supported Drupal 11.x and 10.x branches before the patched releases (11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, 10.4.10). 6,000 sites already targeted across 65 countries.
Fix
Patch immediately. Apply WAF rules blocking Drupal SQL injection patterns. FCEB agencies must remediate by midnight tonight per BOD 22-01. Prioritize PostgreSQL-backed deployments.