Drupal: Critical SQL injection flaw now targeted in attacks

Drupal is warning that hackers are attempting to exploit a "highly critical" SQL injection vulnerability announced earlier this week. The content management system (CMS) project published a PSA on May 18, urging administrators to reserve time for core updates that addressed an issue that threat actors might start exploiting "within hours or days." The flaw is now tracked as CVE-2026-9082 and was discovered by Google/Mandiant researcher Michael Maturi. It affects Drupal’s database abstraction API. It allows specially crafted requests to trigger arbitrary SQL injection on sites using PostgreSQL. SQL injection is a flaw in which attackers inject malicious SQL commands into database queries via user input fields or dialogs on websites, resulting in unauthorized access, modification, or deletion of database data. The flaw is exploitable without authentication and could result in remote code execution, privilege escalation, and information disclosure. In an update to the advisory on May 22, Drupal confirmed that exploitation attempts have been detected. “The risk score has been updated to reflect that exploit attempts are now being detected in the wild,” reads the updated advisory. Drupal rated the vulnerability as “highly critical,” assigning it an internal score of 23 out of 25. However, NIST has rated it as “medium severity” based on a CVSS v3 score of 6.5. CVE-2026-9082 impacts a broad range of Drupal versions, including: Website owners and administrators are recommended to up...