Is CVE-2026-9082 in the CISA Known Exploited Vulnerabilities catalog?

Yes — CVE-2026-9082 is listed in CISA KEV, remediation due 2026-05-27.

Which frameworks does CVE-2026-9082 affect?

CVE-2026-9082 affects Drupal, Joomla.

CISA Known Exploited Vulnerability

CVE-2026-9082

Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API.

⚠ Actively exploited (CISA KEV) Drupal Joomla 2026

CISA catalog entry

Product

Core

Vendor

Drupal

Added to KEV

2026-05-22

Remediation due

2026-05-27

What WebPulse reported · 7 analyses

Drupal's 'Highly Critical' PostgreSQL Vulnerability: Unauthenticated RCE for the 5% Nobody Patches First.

CVE-2026-9082 enables unauthenticated information disclosure, privilege escalation, and remote code execution on Drupal sites using PostgreSQL. Drupal says less

June 20, 2026

Drupal Was the Safe One. Then CVE-2026-9082 Hit CISA KEV.

CVSS 9.8. Unauthenticated SQL injection in Drupal Core. Added to CISA KEV two days after disclosure. 15,000 attacks across 65 countries. The CMS governments cho

June 9, 2026

Drupal Has 5 CISA KEV Entries. The Enterprise CMS Is on the Federal Watchlist.

Drupal has more KEV entries than any CMS. The latest PostgreSQL RCE was added May 2026.

June 21, 2026

Joomla JCE Scores a Perfect 10: CISA KEV, PHP Web Shells, Zero Authentication Required

CVE-2026-48907 is a CVSS 10.0 flaw in the Joomla Content Editor plugin. Attackers upload PHP web shells through unauthenticated profile imports. CISA orders fed

June 18, 2026

CISA's New Directive: 3 Days to Patch the Worst Vulnerabilities. Not 30. Not 14. Three.

Binding Operational Directive 26-04 replaces the old 30-day patch window with risk-based timelines. Publicly exposed, auto-exploitable vulnerabilities in the KE

June 16, 2026

TYPO3: Another Legacy CMS, Another Form Framework SQL Injection, Another Privilege Escalation

TYPO3-CORE-SA-2026-019. Broken access control in the Form Framework allows maliciously crafted form definitions to execute arbitrary SQL and create admin accoun

June 13, 2026

Drupal Core SQL Injection: Anonymous Access, CISA KEV, Exploited in the Wild

CVE-2026-9082. Highly critical. Anonymous SQL injection in Drupal core — not a contributed module, not a plugin, the core framework itself. CISA added it to the

June 13, 2026

View CVE-2026-9082 on the NIST National Vulnerability Database →

Related vulnerabilities

CVE-2026-3844 CVE-2026-48907 CVE-2023-23752 CVE-2020-13671 CVE-2019-6340 CVE-2018-7602 CVE-2018-7600 CVE-2026-8206