Drupal: Critical SQL injection flaw now targeted in attacks

Summary

Drupal has confirmed active exploitation of CVE-2026-9082, a critical SQL injection vulnerability in its database abstraction API affecting PostgreSQL installations. The flaw, discovered by Google/Mandiant researcher Michael Maturi, allows unauthenticated attackers to execute arbitrary SQL commands, potentially leading to remote code execution and data breach. Drupal has released patches for versions 10.4.x through 11.3.x and urges immediate upgrades.

Full text

Drupal: Critical SQL injection flaw now targeted in attacks By Bill Toulas May 22, 2026 09:14 AM 0 Drupal is warning that hackers are attempting to exploit a "highly critical" SQL injection vulnerability announced earlier this week. The content management system (CMS) project published a PSA on May 18, urging administrators to reserve time for core updates that addressed an issue that threat actors might start exploiting "within hours or days." The flaw is now tracked as CVE-2026-9082 and was discovered by Google/Mandiant researcher Michael Maturi. It affects Drupal’s database abstraction API. It allows specially crafted requests to trigger arbitrary SQL injection on sites using PostgreSQL. SQL injection is a flaw in which attackers inject malicious SQL commands into database queries via user input fields or dialogs on websites, resulting in unauthorized access, modification, or deletion of database data. The flaw is exploitable without authentication and could result in remote code execution, privilege escalation, and information disclosure. In an update to the advisory on May 22, Drupal confirmed that exploitation attempts have been detected. “The risk score has been updated to reflect that exploit attempts are now being detected in the wild,” reads the updated advisory. Drupal rated the vulnerability as “highly critical,” assigning it an internal score of 23 out of 25. However, NIST has rated it as “medium severity” based on a CVSS v3 score of 6.5. Impact and recommendations CVE-2026-9082 impacts a broad range of Drupal versions, including: Drupal 8.9.x Drupal 10.4.x before 10.4.10 Drupal 10.5.x before 10.5.10 Drupal 10.6.x before 10.6.9 Drupal 11.0.x / 11.1.x before 11.1.10 Drupal 11.2.x before 11.2.12 Drupal 11.3.x before 11.3.10 Website owners and administrators are recommended to upgrade immediately to the latest version available for their branch. Those not using PostgreSQL are still advised to update, as the latest security updates also include fixes for upstream dependencies, including Symfony and Twig. The advisory underlines that Drupal 8 and 9 are end-of-life (EoL), and that patches are provided on a “best-effort” basis; however, those branches still contain other known vulnerabilities, so continuing their use is inherently risky. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: Hackers are exploiting a critical LiteLLM pre-auth SQLi flawHackers bypass SonicWall VPN MFA due to incomplete patchingDrupal critical update to fix bug with high exploitation riskHackers exploit auth bypass flaw in Burst Statistics WordPress pluginWeaver E-cology critical bug exploited in attacks since March

Indicators of Compromise

• cve — CVE-2026-9082

Entities