Vulnerability Management , Patch/Configuration Management Drupal bug added to CISA list of known exploited vulnerabilities May 26, 2026 Share By Steve Zurier (Adobe Stock) The Cybersecurity and Infrastructure Security Agency has added an actively exploited critical Drupal bug to its Known Exploited Vulnerabilities (KEV) catalog. The 9.8 flaw — CVE-2026-9082 — operates as an SQL injection bug in the widely used Drupal content management system that administers more than 1 million websites across federal agencies and large private enterprise networks. Security pros pointed out that Drupal powers critical infrastructure across government and the private sector, and organizations running it need to treat this patch as a priority, not a footnote. CISA has given federal agencies until May 27 to apply the patch. “The attack patterns already documented in the wild tell us exactly where this is heading,” said Shane Barney, chief information security officer at Keeper Security. “Attackers are actively scanning for vulnerable targets right now, and once they find one, the path from initial access to privilege escalation is fast and familiar. Security teams shouldn't wait for confirmation of compromise to act.” Ryan McCurdy, vice president at Liquibase, explained that teams must patch immediately because it lets an attacker exploit a public-facing Drupal site to run arbitrary SQL against the PostgreSQL database that sits behind it. “On affected sites, the attacker does not need to log in,” said McCurdy. “From there, the risk can quickly expand from a website issue to data exposure, privilege escalation, and in some cases remote code execution.” Phillip Wylie, chief security evangelist at Suzu Labs, added that what makes this Drupal vulnerability especially concerning is the combination of factors defenders worry about most: unauthenticated access, active exploitation, and the potential to move from SQL injection into privilege escalation, or even remote code execution, which could include data exfiltration and lateral movement. Wylie said Drupal often sits in high-value environments supporting public-facing services, large content repositories, and complex integrations, which means compromise can extend well beyond website defacement. “For federal agencies, CISA’s directive reflects the reality that once exploitation becomes public, adversaries rapidly operationalize it,” said Wylie. “Organizations should treat this as an incident response exercise, not just a routine patch cycle. Wylie added that priority actions should include the following: Identify all exposed Drupal instances. Confirm whether PostgreSQL is in use. Apply vendor updates. Review logs for suspicious database activity and unusual request patterns. Rotate credentials where exposure is possible. Validate that no persistence mechanisms were introduced. Steve Zurier Related Vulnerability Management Critical vulnerability in Universal Robots’ PolyScope OS allows remote command execution SC Staff May 26, 2026 The vulnerability, tracked as CVE-2026-8153 with a CVSS score of 9.8, affects all PolyScope software versions prior to 5.25.1. Vulnerability Management Zero-day vulnerability in Japanese LMS exploited to deploy Cobalt Strike SC Staff May 26, 2026 The vulnerability, CVE-2026-5426, stems from the use of hard-coded ASP.NET machine keys within the LMS. Vulnerability Management Ghost CMS vulnerability exploited in large-scale campaign SC Staff May 26, 2026 The vulnerability, identified as CVE-2026-26980, affects Ghost versions 3.24.0 through 6.19.0, allowing unauthenticated attackers to steal admin API keys. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds