CISA orders feds to patch actively exploited Drupal vulnerability

CISA has given U.S. government agencies until Wednesday evening to secure their servers against an SQL injection vulnerability in the Drupal content management system (CMS) that it flagged as actively exploited. Drupal is typically used by large organizations managing massive data structures and multi-site installations, including government entities, educational organizations, major research universities, and high-profile enterprise and media organizations. Google/Mandiant researcher Michael Maturi discovered this vulnerability (now tracked as CVE-2026-9082) in Drupal's database abstraction API. The security flaw can be exploited without authentication, allowing attackers to trigger arbitrary SQL injection on PostgreSQL-powered sites via specially crafted requests. Successful exploitation can potentially lead to information disclosure, privilege escalation, and even remote code execution. The Drupal security team tagged the flaw as "highly critical" before releasing patches and confirming that exploitation attempts had been detected in the wild. "Since CVE-2026-9082 was released, Imperva has observed over 15,000 attack attempts targeting almost 6,000 individual sites across 65 countries," cybersecurity firm Imperva warned on May 21. "Attacks are primarily targeting Gaming and Financial Services sites so far, at collectively almost 50% of all attacks." Internet security watchdog group Shadowserver now tracks nearly 670 unpatched Drupal installations exposed online, most of t...