Drupal is warning users that it’s already seeing attempts to exploit CVE-2026-9082, the highly critical vulnerability patched this week.
The vulnerability affects an API designed to ensure that database queries are sanitized to prevent SQL injection.
“A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases,” Drupal explains.
The flaw can be exploited by unauthenticated attackers to obtain information and in some cases for privilege escalation and remote code execution.
Drupal predicted that an exploit for CVE-2026-9082 may be created within hours or days of disclosure and alerted users prior to the patch’s release on May 20.
The CMS powers hundreds of thousands of websites, but the security hole only impacts sites that use PostgreSQL, and Drupal believes less than 5% are affected.
However, the advisory for CVE-2026-9082 was updated on March 22 to inform users that the risk score has been updated from 20 to 23 “to reflect that exploit attempts are now being detected in the wild”. It’s worth noting that Drupal uses the NIST CMSS scoring system for vulnerabilities and the maximum risk rating is 25.
Imperva reported seeing more than 15,000 exploitation attempts targeting nearly 6,000 sites across 65 countries. Almost half of the attacks were aimed at gaming and financial services websites.
“This pattern suggests attackers and scanners are primarily attempting to identify exposed Drupal sites running vulnerable PostgreSQL-backed configurations. While the activity is currently dominated by reconnaissance and validation, the nature of the vulnerability means successful exploitation could quickly move from probing to data extraction or privilege escalation,” the security firm warned.
‘Highly critical’ vulnerabilities haven’t been patched in Drupal in years and there haven’t been any reports of new Drupal vulnerabilities being exploited in the wild since 2019.
Prior to 2019, the flaws dubbed Drupalgeddon and Drupalgeddon2 made headlines for being exploited to compromise many websites.
Related: Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited in 2026
Related: Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild
Related: New ‘Dirty Frag’ Linux Vulnerability Possibly Exploited in Attacks
