Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV

**CVE-2026-9082 — SQL injection in Drupal Core:** CISA added this recently patched Drupal Core SQL injection (CVSS 6.5) to its KEV after evidence of active exploitation; vendors report more than 15,000 attack attempts against roughly 6,000 sites in 65 countries, largely probing PostgreSQL-backed Drupal sites and focusing on gaming and financial services. Patches are available for supported Drupal versions and FCEB agencies were advised to apply fixes by May 27, 2026.