The One They Trusted
WebPulse's government scanning data tells a clear story: .gov domains are 49% Drupal. Education is 35.7% Drupal. The European Commission runs Drupal. Australia's digital infrastructure runs Drupal. When security-conscious organizations evaluated CMS options, Drupal was the answer. Smaller attack surface than WordPress. Security team with a formal advisory process. No plugin-marketplace free-for-all.
CVE-2026-9082 landed on May 20, 2026. Unauthenticated SQL injection in Drupal Core's JSON:API — not a contributed module, not a third-party plugin, but the core framework itself. CVSS 9.8. CISA added it to the Known Exploited Vulnerabilities catalog two days later, with a federal remediation deadline of May 27. Imperva observed 15,000+ attack attempts targeting approximately 6,000 sites across 65 countries within the first five days.
Core Flaw, Not Plugin Flaw
This distinction matters. WordPress's 18,005 CVEs are overwhelmingly in plugins — the ecosystem's weakness, not the core's. WordPress defenders have always argued that core WordPress is reasonably secure; the problem is the plugin ecosystem. Drupal's pitch was that it didn't have WordPress's plugin problem.
CVE-2026-9082 is in Drupal Core. The JSON:API module — enabled by default since Drupal 9 — contained the SQL injection. Every PostgreSQL-backed Drupal installation from version 8.0 through 11.3.9 was vulnerable. This isn't 'a Drupal module had a bug.' This is 'the framework itself had a critical flaw in a default-enabled API that's been shipping for years.'
The affected versions span nearly a decade of Drupal releases. Organizations that chose Drupal specifically for its security posture were running vulnerable core code the entire time.
The Government Exposure
WebPulse has scanned 466,000+ sites. Drupal is the second most detected framework in our Tranco top-100K scan at 9,587 detections. In the .gov TLD specifically, Drupal accounts for 49% of detected frameworks at 12,467 sites. These are the sites that process citizen data, serve public services, and represent critical national infrastructure.
Federal agencies had five business days to remediate — CISA's deadline was May 27. State and local governments, educational institutions, and international government sites had no binding deadline. The median government patch cycle is measured in weeks to months, not days. During that window, every unpatched Drupal government site was a documented target with a known exploit path.
Honest Accounting
WebPulse has published stories positioning Drupal as the more secure CMS choice for government and enterprise. That analysis was correct in aggregate — Drupal has dramatically fewer CVEs than WordPress, a more rigorous security advisory process, and no equivalent to WordPress's plugin marketplace vulnerability epidemic.
But CVE-2026-9082 demonstrates that 'fewer CVEs' is not the same as 'secure.' One critical core flaw in a default-enabled API, actively exploited within days, affects every Drupal installation regardless of how carefully it was configured. The total CVE count comparison (WordPress 18,005 vs. Drupal's handful) is still meaningful. But one CVSS 9.8 in core is enough.
The honest conclusion: no CMS with a database-backed runtime is immune to critical vulnerabilities. Drupal is materially safer than WordPress by the numbers. It is not safe in absolute terms. The frameworks with zero critical CVEs — Hugo, Astro, Eleventy — achieve that by eliminating the runtime attack surface entirely, not by managing it more carefully.
