UPDATE: Drupal CVE-2026-9082 — CISA KEV addition + active exploitation confirmed; NCSC.ch flips post 12584 to "Actively exploited"

UPDATE (originally covered 2026-05-21): On 2026-05-22 Drupal updated SA-CORE-2026-004 to confirm that exploit attempts targeting CVE-2026-9082 — the anonymous pre-authentication SQL injection in the Entity Query API's PostgreSQL path — are now being detected in the wild. NCSC.ch updated Security Hub post 12584 to "Actively exploited" status the same day at 13:52Z, also recording the addition of CVE-2026-9082 to the CISA Known Exploited Vulnerabilities catalog on 2026-05-22 (the NCSC-CH post is the brief's source of record on the KEV add; the CISA news-events alert URL constructed earlier in the day returned a 404 at composition time).

Imperva reports observing 15,000+ exploitation attempts against approximately 6,000 Drupal sites across 65 countries within days of disclosure (Imperva, 2026-05-21). The technical mechanism (now public via the Searchlight Cyber write-up): on the case-insensitive IN operator path through core/lib/Drupal/Core/Entity/Query/Sql/Condition::compile() / ConditionAggregate::compile(), a JSON-encoded array value survives into the SQL placeholder name without sanitisation, allowing injection when the backend is PostgreSQL. Fixed versions: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12 and 11.3.10; best-effort patches for EOL Drupal 8.9 and 9 are also available. MySQL/MariaDB/SQLite-backed Drupal sites remain unaffected, which is the temporary control to fall back on if the patch window slips past today.

Defender vantage update from yesterday's brief: the operational frame is no longer "patch when convenient" but patch today — the § 0 Immediate Action carries the operational framing; this UPDATE captures the source-of-record links and the technical mechanism for anyone composing internal advisories or hunt queries. CH/EU specifics: NCSC.ch Security Hub is the authoritative jurisdictional source for Swiss federal and cantonal operators; Drupal-on-PostgreSQL is widespread across FITKO and SWITCH-hosted university sites, French gouvernement.fr instances and EU institution portals. Detection: WAF telemetry for nested JSON arrays in user-supplied fields hitting Drupal endpoints; PostgreSQL log_min_duration_statement to surface anomalous query shapes; web-server logs for unexpected POST payloads to anonymous routes.