Drupal Critical SQL Injection Vulnerability Now Actively Targeted

Drupal has confirmed that attackers are now attempting to exploit a newly disclosed highly critical SQL injection vulnerability affecting Drupal core.

The vulnerability, tracked as CVE-2026-9082, was disclosed earlier this week and affects Drupal’s database abstraction API. The issue specifically impacts sites using PostgreSQL, where specially crafted unauthenticated requests may allow attackers to inject malicious SQL statements.

Successful exploitation could lead to serious compromise, including:

• Unauthorized database access
• Data modification or deletion
• Privilege escalation
• Information disclosure
• Potential remote code execution

Drupal initially warned administrators on May 18 that exploitation could begin “within hours or days.” In a May 22 advisory update, Drupal confirmed that active exploitation attempts have now been detected in the wild.

Drupal rates the issue as Highly Critical, with an internal risk score of 23 out of 25. NIST currently lists the vulnerability as Medium severity, with a CVSS v3 score of 6.5, though Drupal’s own rating reflects the real-world risk and ease of exploitation.

Affected versions include:

• Drupal 8.9.x
• Drupal 10.4.x before 10.4.10
• Drupal 10.5.x before 10.5.10
• Drupal 10.6.x before 10.6.9
• Drupal 11.0.x / 11.1.x before 11.1.10
• Drupal 11.2.x before 11.2.12
• Drupal 11.3.x before 11.3.10

Administrators should upgrade immediately to the latest patched release available for their Drupal branch.

Even sites not using PostgreSQL should still apply the update, as the latest Drupal security releases also include important fixes for upstream dependencies, including Symfony and Twig.

Drupal also notes that Drupal 8 and Drupal 9 are end-of-life. While limited patches may be provided on a best-effort basis, continuing to run EOL versions remains risky because those branches may contain additional unresolved vulnerabilities.