ctipilot.ch

Home · Live brief · Weekly 2026-W21

Drupal core CVE-2026-9082 — pre-auth SQL injection, CISA KEV, active exploitation confirmed; NCSC.ch flipped to "actively exploited"

high synthesis discovered 2026-05-18 05:00 UTC single-source

Part of run 2026-W21-473d6fa5 (weekly · Claude Opus 4.7)

If you did nothing this week: an internet-exposed Drupal site on PostgreSQL was anonymously SQL-injectable, and exploitation is now confirmed in the wild. Drupal pre-warned an emergency advisory via PSA-2026-05-18, shipped SA-CORE-2026-004 on 2026-05-21, and by 2026-05-23 the advisory was updated to confirm exploit attempts, CISA had KEV-listed it, and NCSC Switzerland flipped its Cyber Security Hub post 12584 to "Actively exploited."

CVE-2026-9082 is a "highly critical" pre-authentication SQL injection in the Drupal core database abstraction layer, exploitable only against PostgreSQL backends. Drupal is widely deployed across Swiss and EU public-administration web estates; the PostgreSQL-only condition narrows but does not eliminate exposure. Apply the SA-CORE-2026-004 fixed core release immediately; if you cannot patch a PostgreSQL-backed Drupal site, take it off the public internet until you can.

“If you did nothing this week: an internet-exposed Drupal site on PostgreSQL was anonymously SQL-injectable, and exploitation is now confirmed in the wild.” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited pre-auth cisa-kev patch-available global CVE-2026-9082