CISA Warns of Critical Drupal Security Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical security vulnerability in Drupal Core and included it in its Known Exploited Vulnerabilities (KEV) catalog. This action comes in response to indications of active exploitation of the vulnerability. The security flaw is designated CVE-2026-9082 and has a CVSS score of 6.5. The vulnerability affects all supported versions of Drupal Core and allows attackers to perform SQL injection attacks.

Such attacks could enable an attacker to gain unauthorized access to databases and steal or manipulate sensitive information. CISA has urgently urged affected organizations to install security updates immediately. The discovery of this vulnerability is particularly concerning as Drupal is a widely used content management platform utilized by numerous websites and applications. According to estimates, over 1.3 million websites use Drupal, significantly increasing the potential attack surface. CISA has emphasized the urgency of the situation and recommends that administrators update their systems without delay.

The security updates that address the vulnerability have already been released. CISA has noted in its report that the vulnerability is actively being exploited, meaning that attackers are already attempting to compromise systems. This underscores the necessity for organizations to review their security practices and ensure that all software versions are up to date. CISA has also pointed out that the vulnerability poses a significant threat not only to large enterprises but also to small and medium-sized businesses. Many of these organizations may have inadequate security resources, making them more susceptible to attacks.

The agency recommends that all users of Drupal Core apply the security updates immediately. In addition to technical measures, CISA has also recommended conducting employee training to raise awareness of cybersecurity risks. Awareness of potential threats can help reduce the likelihood of a successful attack. The agency has stressed that the combination of technical and human security measures is crucial. The CVE-2026-9082 vulnerability is not the first flaw discovered in Drupal Core.

In the past, there have been several critical security vulnerabilities that had similar impacts. CISA has therefore emphasized the need for regular security assessments and timely implementation of software updates. The Drupal community has responded to the discovery of the vulnerability and is working on further measures to enhance the security of the platform. Developers and security researchers have already begun implementing additional security features to prevent future attacks. The community has also provided resources to assist users in updating their systems.

CISA will continue to monitor the situation and plans to provide regular updates on the status of the vulnerability and the community's response. The agency has emphasized that collaboration between government agencies, industry, and the security community is essential to improving the cybersecurity landscape. CISA has urged users of Drupal Core to remain vigilant and adhere to security practices. The vulnerability was added to the KEV catalog on May 24, 2026, highlighting the urgency of the situation. Organizations using Drupal Core should take immediate action to protect their systems.