CISA orders feds to patch actively exploited Drupal vulnerability

CISA has given U.S. government agencies until Wednesday evening to secure their servers against an SQL injection vulnerability in the Drupal content management system (CMS) that it flagged as actively exploited.

Drupal is typically used by large organizations managing massive data structures and multi-site installations, including government entities, educational organizations, major research universities, and high-profile enterprise and media organizations.

Google/Mandiant researcher Michael Maturi discovered this vulnerability (now tracked as CVE-2026-9082) in Drupal's database abstraction API.

The security flaw can be exploited without authentication, allowing attackers to trigger arbitrary SQL injection on PostgreSQL-powered sites via specially crafted requests. Successful exploitation can potentially lead to information disclosure, privilege escalation, and even remote code execution.

The Drupal security team tagged the flaw as "highly critical" before releasing patches and confirming that exploitation attempts had been detected in the wild.