Critical SQL Injection Vulnerability in Drupal Core Actively Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical SQL injection vulnerability in Drupal Core, tracked as CVE-2026-9082 with a CVSS score of 6.5, to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. The flaw affects all supported versions of Drupal Core. No specific exploitation timeline or attack vectors were disclosed, but the inclusion in KEV confirms real-world abuse. The vulnerability was recently patched, though no exact patch release date was provided. CISA’s action underscores the urgency for organizations to remediate the issue.