INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks
| 2026-05-26 08:46 CRITICAL HIGHExecutive Summary AI-generated
The US government has issued a directive to patch vulnerable Drupal servers, citing an active SQL injection vulnerability that could be exploited without authentication. The flaw was discovered by Google/Mandiant researcher Michael Maturi and is tracked as CVE-2026-9082 in the database abstraction API of Drupal 8. Over 670 unpatched installations have been exposed online, with most coming from North America and Europe. CISA advises all defenders to apply patches immediately, citing a Binding Operational Directive (BOD) that only applies to Federal Civilian Executive Branch agencies. The agency warns that attackers can exploit the vulnerability without authentication, allowing for arbitrary SQL injection on PostgreSQL-powered sites.
Technical Mitigations AI-generated
* Implement a secure coding practice: Ensure that developers and administrators follow best practices for writing secure code, such as validating user input, using prepared statements, and avoiding SQL injection vulnerabilities.
* Use a web application firewall (WAF): Consider implementing a WAF to help detect and prevent common web attacks, including SQL injection. A well-configured WAF can significantly reduce the risk of exploitation of known vulnerabilities like CVE-2026-9082.
* Regularly update and patch software: Keep all software applications up-to-date with the latest security patches, including Drupal Core and Microsoft Exchange Server. This will help prevent exploitation of known vulnerabilities before they are patched by attackers.
* Implement input validation and sanitization: Ensure that user input is validated and sanitized to prevent SQL injection attacks. Use prepared statements or parameterized queries instead of directly concatenating user input into SQL code.
* Use a secure database connection protocol (e.g., SSL/TLS): When connecting to databases, use a secure protocol like SSL/TLS to encrypt data in transit. This can help protect against eavesdropping and tampering attacks that could be used to inject malicious SQL commands.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-9082CVE-2026-9082
Target & Sectors
EUROPE
EUROPE
NORTH_AMERICA
NORTH_AMERICA
governmentgovernment
mediamedia
Incident Timeline
May 20
The U.S. CISA exploited a SQL injection vulnerability in Drupal Core, allowing unauthenticated attackers to compromise sites running PostgreSQL databases on May 20.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-9082
Drupal issued a highly critical security patch on May 20 for
CVE-2026-9082
, a SQL injection vulnerability that allows unauthenticated attackers to compromise sites running PostgreSQL databases.
organisation
SQL
Drupal issued a highly critical security patch on May 20 for
CVE-2026-9082
, a SQL injection vulnerability that allows unauthenticated attackers to compromise sites running PostgreSQL databases.
May 21, 2026
Threat actors exploited a high-risk vulnerability in Drupal Core to gain unauthorized access and execute malicious code.
Click on any entity below to view its context and source!
tactic
Privilege Escalation
Ravie Lakshmanan
May 21, 2026
Web Security / Vulnerability
Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure.
tactic
Remote Code Execution
Ravie Lakshmanan
May 21, 2026
Web Security / Vulnerability
Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure.
organisation
Drupal Core
Ravie Lakshmanan
May 21, 2026
Web Security / Vulnerability
Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure.
May 22, two days
The U.S. CISA advisory for CVE-2026-9082 was updated on May 22, two days after the patch release, to confirm that exploit attempts were being detected in the wild.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-9082
The advisory for CVE-2026-9082 was updated on May 22, two days after the patch released, with a detail that confirmed what many had already suspected:
“The risk score has been updated to reflect that exploit attempts are now being detected in the wild.”
reads
the updated advisory.
2026/05/26
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Drupal Core to its Known Exploited Vulnerabilities catalog, which affects the database abstraction API used for sanitizing queries and preventing SQL injection attacks.
Click on any entity below to view its context and source!
organisation
Google/Mandiant
Google/Mandiant researcher Michael Maturi discovered this vulnerability (now tracked as
CVE-2026-9082
) in Drupal's database abstraction API.
organisation
API
Google/Mandiant researcher Michael Maturi discovered this vulnerability (now tracked as
CVE-2026-9082
) in Drupal's database abstraction API.
The vulnerability sits in an API designed to sanitize database queries and prevent SQL injection.
Drupal said the vulnerability resides in a database abstraction API that is used in Drupal Core to validate queries and ensure they are sanitized against SQL injection attacks.
organisation
CVSS
The vulnerability, now tracked as
CVE-2026-9082
, carries a CVSS score of 6.5 out of 10.0, per CVE.org.
organisation
SQL
Drupal said the vulnerability resides in a database abstraction API that is used in Drupal Core to validate queries and ensure they are sanitized against SQL injection attacks.
The security flaw can be exploited without authentication, allowing attackers to trigger arbitrary SQL injection on PostgreSQL-powered sites via specially crafted requests.
organisation
Shadowserver
Internet security watchdog group Shadowserver is now tracking
nearly 670 unpatched Drupal installations
exposed online, most of them from North America (272) and Europe (273).
infrastructure
670 unpatched Drupal installations
Internet security watchdog group Shadowserver is now tracking
nearly 670 unpatched Drupal installations
exposed online, most of them from North America (272) and Europe (273).
financial
273 Europe
Internet security watchdog group Shadowserver is now tracking
nearly 670 unpatched Drupal installations
exposed online, most of them from North America (272) and Europe (273).
organisation
BOD
"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
organisation
Financial Services
Attacks are primarily targeting Gaming and Financial Services sites so far, at collectively almost 50% of all attacks.”
states Imperva
.
infrastructure
11.3.10
The following versions address the issue -
Drupal 11.3.10
Drupal 11.2.12
Drupal 11.1.10
Drupal 10.6.9
Drupal 10.5.10
Drupal 10.4.10
Drupal 7 isn't affected.
infrastructure
11.2.12
The following versions address the issue -
Drupal 11.3.10
Drupal 11.2.12
Drupal 11.1.10
Drupal 10.6.9
Drupal 10.5.10
Drupal 10.4.10
Drupal 7 isn't affected.
infrastructure
11.1.10
The following versions address the issue -
Drupal 11.3.10
Drupal 11.2.12
Drupal 11.1.10
Drupal 10.6.9
Drupal 10.5.10
Drupal 10.4.10
Drupal 7 isn't affected.
infrastructure
10.6.9
The following versions address the issue -
Drupal 11.3.10
Drupal 11.2.12
Drupal 11.1.10
Drupal 10.6.9
Drupal 10.5.10
Drupal 10.4.10
Drupal 7 isn't affected.
infrastructure
10.5.10
The following versions address the issue -
Drupal 11.3.10
Drupal 11.2.12
Drupal 11.1.10
Drupal 10.6.9
Drupal 10.5.10
Drupal 10.4.10
Drupal 7 isn't affected.
infrastructure
10.4.10
The following versions address the issue -
Drupal 11.3.10
Drupal 11.2.12
Drupal 11.1.10
Drupal 10.6.9
Drupal 10.5.10
Drupal 10.4.10
Drupal 7 isn't affected.
infrastructure
11.3
The releases for supported branches (versions 11.3, 11.2, 10.6, and 10.5) include upstream security updates for Symfony and Twig, making it essential that the latest versions are installed.
infrastructure
11.2
The releases for supported branches (versions 11.3, 11.2, 10.6, and 10.5) include upstream security updates for Symfony and Twig, making it essential that the latest versions are installed.
infrastructure
10.6
The releases for supported branches (versions 11.3, 11.2, 10.6, and 10.5) include upstream security updates for Symfony and Twig, making it essential that the latest versions are installed.
infrastructure
10.5
The releases for supported branches (versions 11.3, 11.2, 10.6, and 10.5) include upstream security updates for Symfony and Twig, making it essential that the latest versions are installed.
organisation
Symfony
The releases for supported branches (versions 11.3, 11.2, 10.6, and 10.5) include upstream security updates for Symfony and Twig, making it essential that the latest versions are installed.
infrastructure
11.1
As previously
disclosed
by Drupal, manual patches have also been released for Drupal versions 9 and 8, which have reached end-of-life -
"Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage," Drupal said.
infrastructure
11.0
As previously
disclosed
by Drupal, manual patches have also been released for Drupal versions 9 and 8, which have reached end-of-life -
"Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage," Drupal said.
infrastructure
10.4
As previously
disclosed
by Drupal, manual patches have also been released for Drupal versions 9 and 8, which have reached end-of-life -
"Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage," Drupal said.
Wednesday, May 27
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities Catalog, ordered Federal Civilian Executive Branch agencies to patch their systems by midnight on Wednesday, May 27.
Click on any entity below to view its context and source!
attribution
Unpatched Drupal
Unpatched Drupal instances (Shadowserver)
On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
the flaw to its
Known Exploited Vulnerabilities (KEV) Catalog
and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their systems by midnight on Wednesday, May 27, as mandated by
Binding Operational Directive (BOD) 22-01
.
attribution
Known Exploited
Unpatched Drupal instances (Shadowserver)
On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
the flaw to its
Known Exploited Vulnerabilities (KEV) Catalog
and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their systems by midnight on Wednesday, May 27, as mandated by
Binding Operational Directive (BOD) 22-01
.
tactic
T1588.006 - Vulnerabilities
Unpatched Drupal instances (Shadowserver)
On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
the flaw to its
Known Exploited Vulnerabilities (KEV) Catalog
and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their systems by midnight on Wednesday, May 27, as mandated by
Binding Operational Directive (BOD) 22-01
.
attribution
KEV
Unpatched Drupal instances (Shadowserver)
On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
the flaw to its
Known Exploited Vulnerabilities (KEV) Catalog
and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their systems by midnight on Wednesday, May 27, as mandated by
Binding Operational Directive (BOD) 22-01
.
attribution
Federal Civilian Executive Branch
Unpatched Drupal instances (Shadowserver)
On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
the flaw to its
Known Exploited Vulnerabilities (KEV) Catalog
and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their systems by midnight on Wednesday, May 27, as mandated by
Binding Operational Directive (BOD) 22-01
.
attribution
FCEB
Unpatched Drupal instances (Shadowserver)
On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
the flaw to its
Known Exploited Vulnerabilities (KEV) Catalog
and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their systems by midnight on Wednesday, May 27, as mandated by
Binding Operational Directive (BOD) 22-01
.
May 27, 2026
Threat actors exploited a vulnerability in the U.S. CISA's Drupal Core, compromising federal agency security by May 27, 2026.
Tactical Metrics
Metrics
infrastructure
670
Unpatched Drupal Installations
Click for context!
Internet security watchdog group Shadowserver is now tracking
nearly 670 unpatched Drupal installations
exposed online, most of them from North America (272) and Europe (273).
Metrics
financial
273
Europe
Internet security watchdog group Shadowserver is now tracking
nearly 670 unpatched Drupal installations
exposed online, most of them from North America (272) and Europe (273).
Metrics
infrastructure
11.3.10
Software Version
The following versions address the issue -
Drupal 11.3.10
Drupal 11.2.12
Drupal 11.1.10
Drupal 10.6.9
Drupal 10.5.10
Drupal 10.4.10
Drupal 7 isn't affected.
Metrics
infrastructure
11.2.12
Software Version
The following versions address the issue -
Drupal 11.3.10
Drupal 11.2.12
Drupal 11.1.10
Drupal 10.6.9
Drupal 10.5.10
Drupal 10.4.10
Drupal 7 isn't affected.
Metrics
infrastructure
11.1.10
Software Version
The following versions address the issue -
Drupal 11.3.10
Drupal 11.2.12
Drupal 11.1.10
Drupal 10.6.9
Drupal 10.5.10
Drupal 10.4.10
Drupal 7 isn't affected.
Metrics
infrastructure
10.6.9
Software Version
The following versions address the issue -
Drupal 11.3.10
Drupal 11.2.12
Drupal 11.1.10
Drupal 10.6.9
Drupal 10.5.10
Drupal 10.4.10
Drupal 7 isn't affected.
Metrics
infrastructure
10.5.10
Software Version
The following versions address the issue -
Drupal 11.3.10
Drupal 11.2.12
Drupal 11.1.10
Drupal 10.6.9
Drupal 10.5.10
Drupal 10.4.10
Drupal 7 isn't affected.
Metrics
infrastructure
10.4.10
Software Version
The following versions address the issue -
Drupal 11.3.10
Drupal 11.2.12
Drupal 11.1.10
Drupal 10.6.9
Drupal 10.5.10
Drupal 10.4.10
Drupal 7 isn't affected.
Metrics
infrastructure
11.3
Software Version
The releases for supported branches (versions 11.3, 11.2, 10.6, and 10.5) include upstream security updates for Symfony and Twig, making it essential that the latest versions are installed.
Metrics
infrastructure
11.2
Software Version
The releases for supported branches (versions 11.3, 11.2, 10.6, and 10.5) include upstream security updates for Symfony and Twig, making it essential that the latest versions are installed.
Metrics
infrastructure
10.6
Software Version
The releases for supported branches (versions 11.3, 11.2, 10.6, and 10.5) include upstream security updates for Symfony and Twig, making it essential that the latest versions are installed.
Metrics
infrastructure
10.5
Software Version
The releases for supported branches (versions 11.3, 11.2, 10.6, and 10.5) include upstream security updates for Symfony and Twig, making it essential that the latest versions are installed.
Metrics
infrastructure
11.1
Software Version
As previously
disclosed
by Drupal, manual patches have also been released for Drupal versions 9 and 8, which have reached end-of-life -
"Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage," Drupal said.
Metrics
infrastructure
11.0
Software Version
As previously
disclosed
by Drupal, manual patches have also been released for Drupal versions 9 and 8, which have reached end-of-life -
"Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage," Drupal said.
Metrics
infrastructure
10.4
Software Version
As previously
disclosed
by Drupal, manual patches have also been released for Drupal versions 9 and 8, which have reached end-of-life -
"Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage," Drupal said.
Intelligence Sources
The Hacker News
2026-05-21
Security Affairs
2026-05-24
BleepingComputer
2026-05-26
CISA orders feds to patch actively exploited Drupal vulnerability
BleepingComputer
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-07-09T10:30
Comprehensive Tactical Telemetry
Highly Correlated Entities
13x
attribution
Attributing Entity
SQL
authority
13x
infrastructure
Software Version
11.3.10
version
9x
organisation
Identified Entity
Google/Mandiant
entity
7x
timeline
Temporal Reference
22-01
date
4x
tactic
Cyber Operation Type
Privilege Escalation
tactic
2x
industry
Targeted Sector
Government
sector
2x
target region
Target Region
EUROPE
region
2x
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
2x
vulnerability
CVSS Score
10
score
Contextual Telemetry
Context Block
16 METRICS
general metric
Drupal Vulnerabilities
5
drupal vulnerabilities
vulnerability
Exploited CVE
CVE-2026-9082
cve
infrastructure
Unpatched Drupal Installations
670
unpatched drupal installations
general metric
North America
272
north america
financial
Europe
273
europe
general metric
Surfaces
6
surfaces
target region
Target Country
United States
country
general metric
Attack Attempts
15,000
attack attempts
general metric
Individual Sites
6,000
individual sites
general metric
Countries
65
countries
general metric
%
50
%
general metric
Hours
48
hours
general metric
10.4.10 Drupal
7
10.4.10 drupal
general metric
Versions
11
versions
general metric
Drupal Versions
9
drupal versions
general metric
Drupal
8
drupal
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.