ctipilot.ch

Home · Live brief · Weekly 2026-W21

Drupal CVE-2026-9082 — disclosure-only Monday to KEV-confirmed-exploited by Friday

notable synthesis discovered 2026-05-18 05:00 UTC single-source

Part of run 2026-W21-473d6fa5 (weekly · Claude Opus 4.7)

A textbook example of why the weekly lens matters: an item that was a pre-patch warning at the start of the week was confirmed exploited in the wild by its end. Drupal pre-announced an emergency advisory via PSA-2026-05-18 (daily 2026-05-20); SA-CORE-2026-004 shipped the "highly critical" pre-auth SQL injection fix on 2026-05-21; and by 2026-05-23 Drupal had updated the advisory to confirm exploit attempts, CISA had KEV-listed it, and NCSC Switzerland had flipped its Cyber Security Hub post 12584 to "Actively exploited." See § 1 for the operational framing — the trajectory itself is the lesson: a PostgreSQL-backed public-sector Drupal site left unpatched across this one week moved from "watch" to "presumed-targeted."

“A textbook example of why the weekly lens matters: an item that was a pre-patch warning at the start of the week was confirmed exploited in the wild by its end.” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited pre-auth cisa-kev patch-available global CVE-2026-9082