The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical SQL injection vulnerability in Drupal Core (CVE-2026-9082) and included it in its Known Exploited Vulnerabilities (KEV) catalog due to evidence of ongoing exploitation. With a CVSS score of 6.5, this vulnerability affects all supported versions of Drupal Core, underscoring the urgent need for organizations using this platform to patch their systems promptly to mitigate potential attacks.
The practical implications for businesses are significant, as many organizations rely on Drupal for content management and web applications. Failure to address this vulnerability could lead to unauthorized access to sensitive data, defacement of websites, and other malicious activities. This situation highlights the importance of maintaining up-to-date software and implementing robust security measures. For the cybersecurity and AI sectors, the active exploitation of such vulnerabilities serves as a reminder of the evolving threat landscape, emphasizing the need for continuous monitoring and immediate response strategies to protect critical digital assets.
---
*Originally reported by [The Hacker News](https://thehackernews.com/2026/05/drupal-core-sql-injection-bug-actively.html)*