Drupal: Critical SQL injection flaw now targeted in attacks

Drupal is warning that hackers are attempting to exploit a "highly critical" SQL injection vulnerability announced earlier this week.

The content management system (CMS) project published a PSA on May 18, urging administrators to reserve time for core updates that addressed an issue that threat actors might start exploiting "within hours or days."

The flaw is now tracked as CVE-2026-9082 and was discovered by Google/Mandiant researcher Michael Maturi. It affects Drupal’s database abstraction API. It allows specially crafted requests to trigger arbitrary SQL injection on sites using PostgreSQL.

SQL injection is a flaw in which attackers inject malicious SQL commands into database queries via user input fields or dialogs on websites, resulting in unauthorized access, modification, or deletion of database data.

The flaw is exploitable without authentication and could result in remote code execution, privilege escalation, and information disclosure.

Drupal: Critical SQL injection flaw now targeted in attacks

Other newsrooms on this story

Related reading

Drupal to Patch Highly Critical Vulnerability at Risk of Quick Exploitation

Other newsrooms on this story

Related reading

Drupal to Patch Highly Critical Vulnerability at Risk of Quick Exploitation

Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks

Drupal Patches Highly Critical Vulnerability Exposing Websites to Hacking

Drupal critical update to fix bug with high exploitation risk

Drupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare

Clear your calendar, Drupal user: You have a critically urgent patch to install