Drupal Warns of Highly Critical Core Flaw Requiring Immediate Emergency Patching
Drupal has warned administrators to prepare for an emergency core security release affecting all supported branches, saying the undisclosed flaw is highly critical, easy to exploit, and could be weaponized within hours or days of disclosure. According to Drupal and follow-on reporting, the vulnerability requires no privileges and may let attackers expose non-public data or modify or delete site content, although it appears limited to certain uncommon configurations rather than every deployment. A related advisory from dCERT also flagged a Drupal Core vulnerability enabling an unspecified attack.
Security updates are scheduled for supported branches 11.3.x, 11.2.x, 10.6.x, and 10.5.x, with best-effort fixes also planned for older 11.1.x and 10.4.x releases. Sites running 8.9 and 9.5 are expected to receive manual patch files only, with warnings about possible regressions and renewed pressure to upgrade to supported versions such as Drupal 10.6 or later; Drupal 7 is not affected. Drupal Steward customers were said to be protected against known attack vectors, but Drupal still urged all organizations to reserve maintenance time and apply the patch immediately once released.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
CISA adds Drupal CVE-2026-9082 to KEV catalog
CISA added the actively exploited Drupal Core SQL injection flaw CVE-2026-9082 to its Known Exploited Vulnerabilities catalog after evidence of in-the-wild abuse. The agency ordered Federal Civilian Executive Branch agencies to remediate by 2026-05-27.
Imperva reports 15,000+ attacks on Drupal flaw across 6,000 sites
Imperva said that within 48 hours of Drupal's patch release, it observed more than 15,000 attack attempts exploiting CVE-2026-9082 against nearly 6,000 sites in 65 countries. The activity was largely reconnaissance and validation, with gaming and financial services organizations accounting for almost half of observed attacks.
Traficom warns Drupal SQL injection flaw is actively exploited
Finland's Traficom warned that the critical Drupal Core SQL injection vulnerability is being actively exploited in the wild, particularly when Drupal uses PostgreSQL as its database. The notice said exploitation can lead to information disclosure and in some cases privilege escalation, arbitrary code execution, and other attacks, while reiterating upgrade guidance for supported and some end-of-life branches.
Drupal issues SA-CORE-2026-004 for critical SQL injection flaw
Drupal published its May 20, 2026 security advisory SA-CORE-2026-004 addressing a highly critical SQL injection vulnerability in multiple Drupal Core versions. The Canadian Centre for Cyber Security amplified the notice and urged administrators to review the advisory and apply updates or mitigations.
dCERT publishes advisory on Drupal core vulnerability
Germany's dCERT published Advisory 2026-1550 covering a Drupal Core vulnerability described as allowing an unspecified attack. The advisory reflects external coordination and public notice of the issue ahead of patch release.
Drupal discloses severity and affected version guidance
Alongside the announcement, Drupal said the flaw is highly critical, easy to exploit without privileges, and could expose non-public data or allow modification or deletion of content, though only certain uncommon configurations are affected. It said supported branches 11.3.x, 11.2.x, 10.6.x, and 10.5.x would receive releases, best-effort patches would be provided for 11.1.x, 10.4.x, 9.5, and 8.9, Drupal 7 is unaffected, and older versions should be upgraded.
Drupal announces emergency core security update for May 20
Drupal warned administrators on May 19, 2026 that it would release an emergency core security update on May 20 between 17:00 and 21:00 UTC for supported branches. The project urged site owners to reserve time to apply the fix immediately because exploits could appear within hours or days of disclosure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
25 references tracked. Mallory keeps watching after this page renders.
Drupal SQL Injection Exploit: Wild Exploit PoC Public
securityonline.info
Open sourceDrupal PostgreSQL SQL Injection: From SELECT-Only to RCE : r/netsec
reddit.com
Open sourceDrupal bug added to CISA list of known exploited vulnerabilities | news | SC Media
scworld.com
Open sourceCISA orders feds to patch actively exploited Drupal vulnerability
bleepingcomputer.com
Open sourceDrupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare
thehackernews.com
Open sourceDrupal warns admins to brace for highly critical core patch
theregister.com
Open sourcedCERT - Advisory 2026-1550 - Drupal Core: Vulnerability allows unspecified attack
dcert.de
Open sourceDrupal warns admins to brace for highly critical core patch
theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Drupal and TYPO3 Core Flaws Prompt CMS Security Advisories
Security advisories were issued for **multiple vulnerabilities in Drupal Core** and for a **TYPO3 Core information disclosure flaw**, highlighting fresh risk in widely deployed content management systems. The Drupal notice identifies several unresolved security issues in the core platform, while the TYPO3 advisory warns that a vulnerability could expose sensitive information to unauthorized parties. Organizations running either CMS are likely to review affected versions, assess exposure of internet-facing instances, and prioritize vendor guidance for patching or mitigation. The disclosures underscore the operational risk of unremediated core-platform weaknesses in web publishing environments, where vulnerabilities can affect confidentiality and potentially broaden the attack surface for follow-on compromise.
Apr 21, 2026
Multiple Critical Vulnerabilities Disclosed Across Popular Software Platforms
A series of critical vulnerabilities have been disclosed affecting a wide range of popular software platforms, including WordPress plugins, web frameworks, developer tools, and enterprise applications. Notable issues include unauthenticated remote code execution (RCE) flaws in Next.js (CVE-2025-66478), WordPress core (CVE-2025-6389), and the ACF Extended plugin (CVE-2025-13486), as well as privilege escalation and authentication bypass vulnerabilities in the WP Directory Kit plugin (CVE-2025-13390) and cPanel. Several of these vulnerabilities are reported to be under active exploitation, with proof-of-concept code available for some, increasing the urgency for immediate patching and mitigation. Other significant disclosures include a high-severity flaw in Vim for Windows (CVE-2025-66476) allowing arbitrary code execution, a critical SQL injection chain in Synology BeeStation, and a directory traversal vulnerability in cPanel that could lead to full server takeover. Additional advisories cover issues in lz4-java, Longwatch OT surveillance, Django, Elementor, Apache Struts, nopCommerce, and OpenVPN, with many rated as critical or high severity by CVSS. Organizations are strongly advised to review affected products and apply security updates promptly to mitigate the risk of exploitation.
Mar 21, 2026
Google Chrome Emergency Update Patches Multiple Critical Vulnerabilities
Google released an emergency update for *Chrome for Desktop* to **Stable channel 145.0.7632.159/160 (Windows/macOS)** and **145.0.7632.159 (Linux)**, addressing **10 security vulnerabilities**, including **three Critical** issues. Reported flaws include `CVE-2026-3536` (integer overflow in **ANGLE**), `CVE-2026-3537` (object lifecycle issue in **PowerVR**), and `CVE-2026-3538` (integer overflow in **Skia**); additional **High-severity** bugs span components such as **V8**, **WebAssembly**, **CSS**, **DevTools**, and media-related subsystems. Google limited detailed disclosure until patch adoption increases and urged users to update promptly; reported bug bounty awards for individual findings reached **up to $33,000**. The Canadian Centre for Cyber Security echoed Google’s advisory, recommending organizations apply the Chrome updates when available to remediate the affected versions. Separate Canadian Centre advisories also covered unrelated patch guidance for **Drupal contributed modules** (including a **critical access bypass** in *AJAX Dashboard* and moderate issues such as XSS in other modules) and a **Tenable Nessus Manager** vulnerability fixed in versions **10.10.3** and **10.11.3**; these items are distinct from the Chrome emergency update and should be tracked independently in vulnerability management workflows.
Mar 21, 2026