Public administration — web-CMS and identity estate under multi-vector pressure

Public-sector web and identity infrastructure took hits from several directions this week: the actively-exploited Drupal pre-auth SQLi (§ 1), ANSSI/CERT-FR's CERTFR-2026-AVI-0635 on SPIP < 4.4.15 (the dominant French public-administration CMS), the unpatched Sparx Enterprise Architect chain and the Keycloak IAM cluster (§ 3), and Webworm's pivot to EU government targets (§ 7). Add the Krebs-reported CISA-contractor exposure of AWS GovCloud admin keys in a public GitHub repo for ~6 months (daily 2026-05-19) and the Rhysida Stuttgart claim (§ 5), and the week's signal is that the public-administration estate's CMS, IAM and cloud-credential surfaces are all live targets simultaneously. Prioritise the CMS/IAM patch SLAs and audit cloud-credential hygiene in contractor repositories.