U.S. CISA adds a flaw in Drupal Core to its Known Exploited Vulnerabilities catalog

U.S. CISA added a critical Drupal Core SQL injection (CVE-2026-9082, CVSS 9.8) to its Known Exploited Vulnerabilities catalog after Drupal released a patch on May 20; the flaw affects PostgreSQL-backed sites and allows unauthenticated attackers to inject arbitrary SQL, potentially causing information disclosure, privilege escalation, or remote code execution. Security firms observed over 15,000 exploitation attempts against nearly 6,000 sites in 65 countries within 48 hours, prompting CISA to require federal agencies to remediate by May 27, 2026.