Drupal CVE-2026-9082 went from advisory to mass exploitation in 48 hours. CISA added it to KEV three days later.
On May 20, the Drupal Security Team published SA-CORE-2026-004, a highly-critical SQL injection vulnerability in the Drupal Core database abstraction API. By May 22, Imperva had tracked more than 15,000 exploitation attempts against roughly 6,000 distinct PostgreSQL-backed Drupal sites across 65 countries. CISA added the CVE to its Known Exploited Vulnerabilities catalog the same day, with a federal civilian deadline of June 5.
This is the fastest publicized advisory-to-mass-exploitation cycle I have seen for a major CMS in 2026. If your organization runs Drupal on PostgreSQL and has not patched, scanners have already touched you.
What the bug is
CVE-2026-9082 is a SQL injection vulnerability in Drupal's core database abstraction API. The flaw allows an unauthenticated attacker to deliver crafted requests that yield arbitrary SQL injection on Drupal sites running PostgreSQL. CVSS comes in at 6.5, but Drupal's own severity language is highly-critical, and the practical impact range covers information disclosure, privilege escalation, and in some configurations remote code execution.
The scope is PostgreSQL only. MySQL, MariaDB, and SQLite installations are not affected. This is unusual for a Drupal Core vulnerability and is a useful filter. If your site runs on any backend other than PostgreSQL, you are not exposed.
Affected versions cover the entire Drupal supported tree. Fixed versions are 11.3, 11.2, 10.6, and 10.5.
What the attackers are doing
Imperva's WAF telemetry from the first 48 hours after disclosure gives the cleanest picture of how this exploitation cycle is playing out. Gaming and Financial Services sites collectively account for roughly half of all observed attack volume. The geographic spread covers 65 countries, with no single region dominating.
The exploitation surface concentration is the most useful defender signal. Most observed payloads target JSON:API endpoints, particularly /jsonapi/node/article, with crafted filter parameters designed to test whether the target is vulnerable. The endpoints are public-facing on most Drupal installs and accept arbitrary filter expressions in the URL, which is exactly the kind of input surface that makes a SQL injection bug into a mass-exploitable one.
The second useful signal is the Nuclei marker. A large fraction of the observed exploitation payloads carry strings like nuclei_sa_core_2026_004 in the request. That is not attackers writing custom exploit code. That is attackers running open-source Nuclei templates against every Drupal instance on the internet, looking for the easy wins. The lead time between Drupal's advisory and the Nuclei template availability was measured in hours, not days.
CISA KEV addition on May 22
CISA added CVE-2026-9082 to KEV on May 22, three days after the original advisory. The Binding Operational Directive 22-01 deadline for FCEB agencies to remediate is June 5. The KEV addition is a useful read for enterprise defenders, not just federal agencies. CISA does not add CVEs to KEV speculatively. The addition confirms active exploitation against US federal targets in addition to the international Imperva telemetry.
What to do this week
Three actions for the next 24 to 72 hours, in order.
First, identify every Drupal instance in your environment running PostgreSQL. The bug only affects PostgreSQL backends, so the inventory question is the right starting point. Pay attention to shadow Drupal instances on engineering or marketing teams that may not be on the central web infrastructure roster.
Second, patch every PostgreSQL-backed Drupal instance to one of the fixed versions: 11.3, 11.2, 10.6, or 10.5. The patch itself is straightforward and ships in the standard Drupal update channel. The harder operational question is downtime windows, which you should be willing to compress for this one given the active exploitation telemetry.
Third, audit WAF logs and access logs for the trailing 72 hours. Look for requests to /jsonapi/node/* endpoints carrying unusual filter parameters, particularly any that include SQL keywords (SELECT, UNION, OR, AND) or that carry Nuclei marker strings. Any host that has fielded such requests should be treated as scanned at minimum, and as a possible compromise candidate pending a deeper review of database access logs for unexpected queries.
For Uzbek government and municipal operators with public Drupal portals on PostgreSQL backends, the practical urgency is identical. The Nuclei templates do not discriminate by geography. If your site is internet-accessible, it has been scanned. Treat patch-and-audit as the operational priority for this week.
The broader pattern
CVE-2026-9082 is the third major web-CMS or web-framework bug in 2026 to follow the advisory-to-mass-exploitation-in-48-hours cycle, after the Apache HTTP/2 flaw (CVE-2026-23918) in April and the Spring Framework deserialization bug (CVE-2026-31280) in March. The pattern is now consistent enough to plan for.
The defender response is not to try to find these bugs faster, since the bugs are being disclosed publicly by the maintainers themselves. The defender response is to compress your patch-cycle latency for the major web frameworks your organization depends on. If your average time from advisory-to-patched in production for Drupal, Apache, Spring, or any other internet-facing framework is measured in weeks, this is the moment to invest in cutting that down to days.
The Nuclei template ecosystem is now a free, public, mass-distribution platform for exploit primitives, and there is no putting that genie back. The defender posture for 2026 is to assume that any high-profile web framework bug will have a working Nuclei template within hours of disclosure and to plan patch operations against that timeline.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want to walk through patch-cycle compression for a specific framework or platform.