The Core Is the Vulnerability
SA-CORE-2026-004 (CVE-2026-9082) is a highly critical SQL injection vulnerability in Drupal core's database abstraction API. Not in a contributed module. Not in a third-party plugin. In the framework's own database layer. The vulnerability allows fully anonymous users to send specially crafted requests that result in arbitrary SQL injection on any Drupal site using PostgreSQL.
The Drupal Security Team rated it 20 out of 25 on their risk scale — Highly Critical. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog, which is the strongest signal that active exploitation is occurring and that federal agencies must patch. Exploit attempts have been detected in the wild since May 22, 2026 — two days after disclosure.
Drupal's Core Problem
WordPress's 18,005 CVEs are predominantly in plugins — third-party code written by independent developers. WordPress defenders argue that core is secure; the plugins are the problem. Drupal's SA-CORE-2026-004 eliminates that argument for Drupal itself. This is a core vulnerability. Written by the Drupal core team. Reviewed through Drupal's security process. Present in every supported version.
Fixes shipped across six branches: 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10. Best-effort patches were also released for end-of-life Drupal 8.9 and Drupal 9 — an acknowledgment that organizations running unsupported versions are exposed and cannot easily upgrade. The breadth of the patch illustrates the maintenance burden of a monolithic CMS framework.
The CISA KEV Signal
CISA's Known Exploited Vulnerabilities catalog is not a theoretical risk register. It documents vulnerabilities that are confirmed exploited in the wild. Federal agencies are legally required to patch KEV entries within specified timeframes. When a web framework vulnerability enters the KEV catalog, it means attackers are actively using it against production systems.
WebPulse tracks CISA KEV entries as a security scoring dimension. Drupal now has a core framework entry in the KEV catalog — not a module, not a plugin, the framework itself. This joins WordPress's KEV entries and distinguishes both legacy CMS frameworks from modern alternatives. Hugo, Astro, Eleventy, and FastAPI have zero CISA KEV entries because they have no runtime attack surface for anonymous users to exploit.
The Legacy CMS Exposure
Drupal's market share is smaller than WordPress's, but its deployment profile is different. Drupal powers government websites, university portals, media organizations, and enterprise intranets. These are exactly the high-value targets that make a CISA KEV entry consequential. A SQL injection in a government Drupal site is not a defacement — it is a data breach.
The operational cost of SA-CORE-2026-004 extends beyond patching. Organizations must audit PostgreSQL databases for signs of exploitation, review access logs for crafted requests, and verify data integrity. For Drupal sites running on PostgreSQL — common in enterprise and government deployments — the vulnerability window between May 20 disclosure and patch deployment is a period of confirmed exposure to a known-exploited vulnerability.
