Five Entries on the Federal List
CISA's Known Exploited Vulnerabilities catalog is not a theoretical risk assessment. It is a list of vulnerabilities that have been confirmed as actively exploited in the wild. Federal agencies are required to patch KEV entries within specified timelines. Private organizations treat the catalog as a de facto priority list. Drupal appears in it five times — tied with Spring for the highest count among web frameworks tracked by WebPulse.
The latest addition is CVE-2026-9082, a PostgreSQL remote code execution vulnerability added to the KEV catalog on May 22, 2026. It enables unauthenticated attackers to achieve information disclosure, privilege escalation, and code execution on Drupal sites running PostgreSQL backends. The vulnerability exists in Drupal's database abstraction layer — the security boundary that was supposed to prevent exactly this class of attack.
The Enterprise Security Paradox
Drupal's market position has long rested on a specific claim: it is the enterprise-grade CMS, the platform that governments, universities, and large organizations choose when security and scalability matter. The data partially supports this. Drupal's 1,376 total CVEs are a fraction of WordPress's 18,253. Its security team operates with transparency and discipline. Its advisory process is structured and timely.
But the KEV catalog measures something different from total CVE count. It measures confirmed exploitation — vulnerabilities that attackers have used successfully against real targets. By this measure, Drupal's 5 KEV entries exceed WordPress's 4. The platform chosen for enterprise security has more confirmed-exploited vulnerabilities than the platform criticized for its security posture.
The Zero-KEV Alternative
Among the frameworks WebPulse tracks, several carry zero KEV entries: Next.js, Astro, Hugo, FastAPI, Django, Vue, and Angular. Zero does not mean invulnerable — it means that no vulnerability in these frameworks has been confirmed as actively exploited and added to the federal catalog. The distinction matters for compliance-sensitive organizations. A KEV entry triggers mandatory response timelines, audit documentation, and remediation verification. Zero KEV entries means none of those processes are triggered by the framework itself.
The pattern across CMS frameworks is consistent. Drupal's 5 KEV entries, WordPress's 4, and Joomla's presence in the catalog reflect a shared architectural reality: traditional content management systems built in the PHP era carry accumulated attack surface that newer, more narrowly scoped frameworks do not. The vulnerability is not in the code quality — Drupal's code quality is demonstrably high. It is in the architectural surface area that comes with being a monolithic, server-rendered application platform that has been in production for over two decades.
For organizations evaluating CMS platforms, the KEV catalog offers a concrete metric. Total CVE counts reflect the breadth of security research attention. KEV entries reflect confirmed real-world impact. Both metrics matter, but for executives weighing risk, confirmed exploitation carries more weight than theoretical vulnerability.
