{"id":253868,"date":"2026-05-24T04:07:00","date_gmt":"2026-05-24T08:07:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/24\/u-s-cisa-adds-a-flaw-in-drupal-core-to-its-known-exploited-vulnerabilities-catalog\/"},"modified":"2026-05-24T04:20:11","modified_gmt":"2026-05-24T08:20:11","slug":"u-s-cisa-adds-a-flaw-in-drupal-core-to-its-known-exploited-vulnerabilities-catalog","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/24\/u-s-cisa-adds-a-flaw-in-drupal-core-to-its-known-exploited-vulnerabilities-catalog\/","title":{"rendered":"U.S. CISA adds a flaw in Drupal Core to its Known Exploited Vulnerabilities catalog"},"content":{"rendered":"

U.S. CISA adds a flaw in Drupal Core to its Known Exploited Vulnerabilities catalog<\/a><\/p>\n

https:\/\/securityaffairs.com\/192566\/uncategorized\/u-s-cisa-adds-a-flaw-in-drupal-core-to-its-known-exploited-vulnerabilities-catalog.html<\/a><\/p>\n

Publish Date: 2026-05-24 04:07:00<\/a><\/p>\n

Source Domain: securityaffairs.com<\/a><\/p>\n

U.S. CISA adds a flaw in Drupal Core to its Known Exploited Vulnerabilities catalog<\/h2>\n<\/p>\n

\t\t\t\t\t\t\t Pierluigi Paganini<\/span>
\n\t\t\t\t\t\t\t\"\"\/ May 24, 2026<\/span><\/p>\n

\t\t\t\t\t\t\"\"\/<\/p>\n

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Drupal Core to its Known Exploited Vulnerabilities catalog.<\/h2>\n

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)\u00a0added\u00a0a flaw in Microsoft Exchange Server, tracked as CVE-2026-9082 (CVSS score of 9.8), to its\u00a0Known Exploited Vulnerabilities (KEV) catalog.<\/p>\n

Drupal issued a highly critical security patch on May 20 for\u00a0CVE-2026-9082, a SQL injection vulnerability that allows unauthenticated attackers to compromise sites running PostgreSQL databases. Exploitation attempts started almost immediately, and within 48 hours, security firms were tracking thousands of attacks in the wild.<\/p>\n

The vulnerability sits in an API designed to sanitize database queries and prevent SQL injection. A flaw in that API means an attacker can send specially crafted requests and inject arbitrary SQL commands on sites using PostgreSQL. As Drupal put it in its\u00a0advisory.<\/p>\n

\u201cA vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.\u201d reads the\u00a0advisory. \u201cThis vulnerability can be exploited by anonymous users.\u201d<\/p>\n

The result can range from information disclosure to privilege escalation and, in some configurations, remote code execution.<\/p>\n

The advisory for CVE-2026-9082 was updated on May 22, two days after the patch released, with a detail that confirmed what many had already suspected:<\/p>\n

\u201cThe risk score has been updated to reflect that exploit attempts are now being detected in the wild.\u201d\u00a0reads\u00a0the updated advisory.<\/p>\n

Imperva observed more than 15,000 exploitation attempts…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

U.S. CISA adds a flaw in Drupal Core to its Known Exploited Vulnerabilities catalog https:\/\/securityaffairs.com\/192566\/uncategorized\/u-s-cisa-adds-a-flaw-in-drupal-core-to-its-known-exploited-vulnerabilities-catalog.html…<\/p>\n","protected":false},"author":1,"featured_media":253869,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2020\/07\/CISA.jpeg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,27],"class_list":["post-253868","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/253868"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=253868"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/253868\/revisions"}],"predecessor-version":[{"id":253870,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/253868\/revisions\/253870"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/253869"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=253868"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=253868"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=253868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}