Drupal is warning that hackers are attempting to exploit a “highly critical” SQL injection vulnerability announced earlier this week.
The content management system (CMS) project published a PSA on May 18, urging administrators to reserve time for core updates that addressed an issue that threat actors might start exploiting “within hours or days.”
The flaw is now tracked as CVE-2026-9082 and was discovered by Google/Mandiant researcher Michael Maturi. It affects Drupal’s database abstraction API. It allows specially crafted requests to trigger arbitrary SQL injection on sites using PostgreSQL.
SQL injection is a flaw in which attackers inject malicious SQL commands into database queries via user input fields or dialogs on websites, resulting in unauthorized access, modification, or deletion of database data.
The flaw is exploitable without authentication and could result in remote code execution, privilege escalation, and information disclosure.
In an update to the advisory on May 22, Drupal confirmed that exploitation attempts have been detected.
“The risk score has been updated to reflect that exploit attempts are now being detected in the wild,” reads the updated advisory.
Drupal rated the vulnerability as “highly critical,” assigning it an internal score of 23 out of 25. However, NIST has rated it as “medium severity” based on a CVSS v3 score of 6.5.
Impact and recommendations
CVE-2026-9082 impacts a broad range of Drupal versions, including:
- Drupal 8.9.x
- Drupal 10.4.x before 10.4.10
- Drupal 10.5.x before 10.5.10
- Drupal 10.6.x before 10.6.9
- Drupal 11.0.x / 11.1.x before 11.1.10
- Drupal 11.2.x before 11.2.12
- Drupal 11.3.x before 11.3.10
Website owners and administrators are recommended to upgrade immediately to the latest version available for their branch.
Those not using PostgreSQL are still advised to update, as the latest security updates also include fixes for upstream dependencies, including Symfony and Twig.
The advisory underlines that Drupal 8 and 9 are end-of-life (EoL), and that patches are provided on a “best-effort” basis; however, those branches still contain other known vulnerabilities, so continuing their use is inherently risky.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
