Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw impacting Drupal Core to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2026-9082 (CVSS score: 6.5), an SQL injection vulnerability affecting all supported versions of Drupal Core. "Drupal Core

The article reports that CISA has added CVE-2026-9082, a critical SQL injection flaw in Drupal Core’s database abstraction API, to its Known Exploited Vulnerabilities catalog after observing more than 15,000 exploitation attempts against nearly 6,000 Drupal sites across 65 countries.[1][2][3] The bug allows unauthenticated attackers to perform arbitrary SQL injection on PostgreSQL-backed Drupal sites, potentially leading to information disclosure, privilege escalation, and remote code execution, and U.S. federal agencies have been ordered to patch by a specified deadline.[1][2][3] From an AI supply chain perspective, any AI application or agent that depends on a vulnerable Drupal-based CMS for training data, content management, or API integration could ingest tampered data, have its configuration modified, or expose sensitive information used by AI workflows. CyberSE.AI analysis: organizations should treat Drupal (and similar web/CMS components) as critical parts of the AI supply chain, ensure their SBOM and asset inventory include these dependencies, and incorporate KEV-driven patch SLAs into AI Security Readiness, especially where AI agents consume content or credentials from Dru