ctipilot.ch

Drupal core highly-critical pre-auth SQL injection in database abstraction API on PostgreSQL backends; CISA KEV-listed 2026-05-22 (SA-CORE-2026-004)

cve · CVE-2026-9082 single-source

Coverage timeline
4
first 2026-05-18 → last 2026-05-25
Entries
4
3 distinct days
Sources cited
9
7 hosts
Sections touched
3
updates, weekly-multi-day, weekly-top-stories
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-05-23Drupal CVE-2026-9082 — CISA KEV addition + active exploitation confirmed; NCSC.ch flips post 12584 to "Actively exploited"
    updatesDrupal CVE-2026-9082 — CISA KEV addition + active exploitation confirmed; NCSC.ch flips post 12584 to "Actively exploited"
  2. 2026-05-21Drupal SA-CORE-2026-004 / CVE-2026-9082 ships — "highly critical" pre-auth SQL injection in core database API, PostgreSQL-only
    updatesDrupal SA-CORE-2026-004 / CVE-2026-9082 ships — "highly critical" pre-auth SQL injection in core database API, PostgreSQL-only
  3. 2026-05-18Drupal CVE-2026-9082 — disclosure-only Monday to KEV-confirmed-exploited by Friday
    weekly-multi-dayDrupal CVE-2026-9082 — disclosure-only Monday to KEV-confirmed-exploited by Friday
  4. 2026-05-18Drupal core CVE-2026-9082 — pre-auth SQL injection, CISA KEV, active exploitation confirmed; NCSC.ch flipped to "actively exploited"
    weekly-top-storiesDrupal core CVE-2026-9082 — pre-auth SQL injection, CISA KEV, active exploitation confirmed; NCSC.ch flipped to "actively exploited"

Where this entity is cited

  • updates2
  • weekly-top-stories1
  • weekly-multi-day1

Source distribution

  • drupal.org3 (33%)
  • bleepingcomputer.com1 (11%)
  • csoonline.com1 (11%)
  • imperva.com1 (11%)
  • security-hub.ncsc.admin.ch1 (11%)
  • securityweek.com1 (11%)
  • slcyber.io1 (11%)

Related entities

Entries about Drupal core highly-critical pre-auth SQL injection in database abstraction API on PostgreSQL backends; CISA KEV-listed 2026-05-22 (SA-CORE-2026-004) (4)

2026-05-23 · view entry permalink →

Drupal CVE-2026-9082 — CISA KEV addition + active exploitation confirmed; NCSC.ch flips post 12584 to "Actively exploited"

UPDATE — originally covered Drupal SA-CORE-2026-004 / CVE-2026-9082 ships — "highly critical" pre-auth SQL injection in core database API, PostgreSQL-only (2026-05-21)

critical vulnerability discovered 2026-05-23 05:00 UTC

On 2026-05-22 Drupal updated SA-CORE-2026-004 to confirm that exploit attempts targeting CVE-2026-9082 — the anonymous pre-authentication SQL injection in the Entity Query API's PostgreSQL path — are now being detected in the wild. NCSC.ch updated Security Hub post 12584 to "Actively exploited" status the same day at 13:52Z, also recording the addition of CVE-2026-9082 to the CISA Known Exploited Vulnerabilities catalog on 2026-05-22 (the NCSC-CH post is the brief's source of record on the KEV add; the CISA news-events alert URL constructed earlier in the day returned a 404 at composition time).

Imperva reports observing 15,000+ exploitation attempts against approximately 6,000 Drupal sites across 65 countries within days of disclosure (Imperva, 2026-05-21). The technical mechanism (now public via the Searchlight Cyber write-up): on the case-insensitive IN operator path through core/lib/Drupal/Core/Entity/Query/Sql/Condition::compile() / ConditionAggregate::compile(), a JSON-encoded array value survives into the SQL placeholder name without sanitisation, allowing injection when the backend is PostgreSQL. Fixed versions: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12 and 11.3.10; best-effort patches for EOL Drupal 8.9 and 9 are also available. MySQL/MariaDB/SQLite-backed Drupal sites remain unaffected, which is the temporary control to fall back on if the patch window slips past today.

Defender vantage update from yesterday's brief: the operational frame is no longer "patch when convenient" but patch today — the § 0 Immediate Action carries the operational framing; this UPDATE captures the source-of-record links and the technical mechanism for anyone composing internal advisories or hunt queries. CH/EU specifics: NCSC.ch Security Hub is the authoritative jurisdictional source for Swiss federal and cantonal operators; Drupal-on-PostgreSQL is widespread across FITKO and SWITCH-hosted university sites, French gouvernement.fr instances and EU institution portals. Detection: WAF telemetry for nested JSON arrays in user-supplied fields hitting Drupal endpoints; PostgreSQL log_min_duration_statement to surface anomalous query shapes; web-server logs for unexpected POST payloads to anonymous routes.

Drupal confirmed: exploit attempts are now being detected in the wild

BleepingComputer

Current exploitation status: Actively exploited

NCSC.ch Security Hub

Imperva sees more than 15,000 exploit attempts against around 6,000 Drupal websites in 65 countries

Imperva
vulnerabilities actively-exploited pre-auth rce cisa-kev patch-available global switzerland europe CVE-2026-9082

2026-05-21 · view entry permalink →

Drupal SA-CORE-2026-004 / CVE-2026-9082 ships — "highly critical" pre-auth SQL injection in core database API, PostgreSQL-only

UPDATE — originally covered Drupal core "highly critical" pre-patch warning — unauthenticated, zero-complexity, patch window today 17:00–21:00 UTC (2026-05-20)

high vulnerability discovered 2026-05-21 05:00 UTC

yesterday's brief carried Drupal's PSA pre-warning that a "highly critical" core advisory was scheduled for 2026-05-20; today the SA-CORE-2026-004 advisory landed with CVE-2026-9082 assigned — an anonymous SQL-injection in Drupal core's database abstraction API (CWE-89) rated 20/25 on Drupal's risk scale (Highly Critical) that affects only PostgreSQL-backed installations. Specially-crafted HTTP requests slip past sanitisation in the core DB-API layer and inject arbitrary SQL with no authentication; successful exploitation leads to information disclosure, privilege escalation and — in some database configurations — RCE. The Drupal Security Team explicitly stated that "exploits might be developed within hours or days" of advisory release (Drupal PSA, 2026-05-18).

Affected versions: 8.9.0 through 10.4.10, 10.5.x < 10.5.10, 10.6.x < 10.6.9, 11.0.0 through 11.1.10, 11.2.x < 11.2.12, 11.3.x < 11.3.10. Patched: 10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10 (released 2026-05-20). MySQL / MariaDB / SQLite installations are not affected by this CVE. Drupal 7 is unaffected; sites on EOL Drupal 8/9 majors must apply manual patch files. Drupal Steward WAF subscribers receive vendor-provided rules at advisory release per the service description; non-subscriber sites must apply the core update. NCSC-CH carried the advisory in its Security Hub (NCSC-CH, 2026-05-19; SecurityWeek, 2026-05-19; CSO Online, 2026-05-20).

vulnerabilities pre-auth patch-available eu-nexus global europe switzerland CVE-2026-9082

2026-05-18 · view entry permalink →

Drupal CVE-2026-9082 — disclosure-only Monday to KEV-confirmed-exploited by Friday

notable synthesis discovered 2026-05-18 05:00 UTC single-source

A textbook example of why the weekly lens matters: an item that was a pre-patch warning at the start of the week was confirmed exploited in the wild by its end. Drupal pre-announced an emergency advisory via PSA-2026-05-18 (daily 2026-05-20); SA-CORE-2026-004 shipped the "highly critical" pre-auth SQL injection fix on 2026-05-21; and by 2026-05-23 Drupal had updated the advisory to confirm exploit attempts, CISA had KEV-listed it, and NCSC Switzerland had flipped its Cyber Security Hub post 12584 to "Actively exploited." See § 1 for the operational framing — the trajectory itself is the lesson: a PostgreSQL-backed public-sector Drupal site left unpatched across this one week moved from "watch" to "presumed-targeted."

A textbook example of why the weekly lens matters: an item that was a pre-patch warning at the start of the week was confirmed exploited in the wild by its end.

ctipilot v2 brief (migrated)
vulnerabilities actively-exploited pre-auth cisa-kev patch-available global CVE-2026-9082

2026-05-18 · view entry permalink →

Drupal core CVE-2026-9082 — pre-auth SQL injection, CISA KEV, active exploitation confirmed; NCSC.ch flipped to "actively exploited"

high synthesis discovered 2026-05-18 05:00 UTC single-source

If you did nothing this week: an internet-exposed Drupal site on PostgreSQL was anonymously SQL-injectable, and exploitation is now confirmed in the wild. Drupal pre-warned an emergency advisory via PSA-2026-05-18, shipped SA-CORE-2026-004 on 2026-05-21, and by 2026-05-23 the advisory was updated to confirm exploit attempts, CISA had KEV-listed it, and NCSC Switzerland flipped its Cyber Security Hub post 12584 to "Actively exploited."

CVE-2026-9082 is a "highly critical" pre-authentication SQL injection in the Drupal core database abstraction layer, exploitable only against PostgreSQL backends. Drupal is widely deployed across Swiss and EU public-administration web estates; the PostgreSQL-only condition narrows but does not eliminate exposure. Apply the SA-CORE-2026-004 fixed core release immediately; if you cannot patch a PostgreSQL-backed Drupal site, take it off the public internet until you can.

If you did nothing this week: an internet-exposed Drupal site on PostgreSQL was anonymously SQL-injectable, and exploitation is now confirmed in the wild.

ctipilot v2 brief (migrated)
vulnerabilities actively-exploited pre-auth cisa-kev patch-available global CVE-2026-9082