Drupal Vulnerability in Hacker Crosshairs Shortly After Disclosure

The newly disclosed CVE‑2026‑9082 exposes a critical flaw in Drupal’s API that sanitizes database queries, allowing unauthenticated attackers to inject arbitrary SQL on PostgreSQL‑backed installations. Drupal’s security team anticipated rapid weaponization and issued a patch on May 20, yet the vulnerability’s narrow scope—affecting less than five percent of Drupal sites—does not diminish its severity. By leveraging the API weakness, threat actors can move from reconnaissance to privilege escalation and remote code execution, a progression reminiscent of the infamous Drupalgeddon incidents that plagued the platform in 2014 and 2018.

Security firm Imperva reported over 15,000 exploitation attempts targeting nearly 6,000 sites across 65 nations, with almost half aimed at gaming and financial‑services portals. The surge prompted Drupal to raise the NIST‑based CVSS score from 20 to 23, approaching the system’s top rating of 25. This uptick reflects real‑world scanning activity and validates the advisory’s warning that attackers are actively hunting for exposed PostgreSQL configurations. Compared with the dormant period since 2019, the current activity signals a renewed focus on high‑value Drupal deployments, especially those handling sensitive transaction data.

For organizations running Drupal, the immediate priority is to apply the May 20 patch and verify that all PostgreSQL instances are updated. Beyond patching, continuous monitoring for anomalous requests, employing Web Application Firewalls, and conducting regular code audits are essential to mitigate lingering risk. The episode underscores a broader industry lesson: even widely used content management systems can become lucrative targets when a single API flaw is exposed, reinforcing the need for proactive vulnerability management and rapid response capabilities across the enterprise.