CISA has added the recently patched SQL injection vulnerability (CVE-2026-9082) in Drupal Core to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has listed CVE-2026-9082, an SQL injection vulnerability affecting all supported versions of Drupal Core, on its Known Exploited Vulnerabilities (KEV) catalog. This action was taken based on intelligence indicating that the vulnerability is actively being exploited in the wild. The vulnerability has a CVSS score of 6.5 and affects the core framework components.