← Back to SecLog

Drupal announces critical core security update for high-risk vulnerability affecting versions 8 and later

Updated: 2026.05.26 15D ago 8 sources
Zero-Days & CVEs Urgent Patches
Drupal announced a core security release for May 20, 2026, warning that exploits could appear within hours of disclosure. The issue affects Drupal core 8+ with patches planned for supported 11.x and 10.x branches, plus hotfixes for end-of-life 9.5 and 8.9 releases. No CVE or technical details were disclosed ahead of release.
Why it matters: Drupal is widely used by government, education, healthcare, and large organizations, so a high-risk core flaw has broad exposure. Defenders should monitor the advisory and be ready to apply updates immediately, especially because Drupal expects rapid exploit development.

Sources

CISA orders feds to patch actively exploited Drupal vulnerability
Sergiu Gatlan 2026.05.26 94% relevant
This article updates the same Drupal vulnerability event by adding that the flaw is tracked as CVE-2026-9082, is being actively exploited, has been added to CISA's KEV catalog, and now carries a Binding Operational Directive deadline for U.S. federal agencies to patch by May 27, 2026.
Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV
info@thehackernews.com (The Hacker News) 2026.05.23 94% relevant
This appears to update the same Drupal core vulnerability event by adding that the flaw is being actively exploited and has now been added to CISA's KEV catalog, increasing urgency beyond the original critical update notice.
Drupal Vulnerability in Hacker Crosshairs Shortly After Disclosure
Eduard Kovacs 2026.05.22 96% relevant
This is the direct follow-up to the same Drupal event, adding that CVE-2026-9082 is now seeing exploitation attempts in the wild, that Drupal raised its risk score, and that Imperva observed more than 15,000 attempts targeting nearly 6,000 sites across 65 countries.
Drupal: Critical SQL injection flaw now targeted in attacks
Bill Toulas 2026.05.22 98% relevant
This is a direct update to the same Drupal core flaw disclosed earlier in the week, adding the key new fact that exploit attempts for CVE-2026-9082 have now been detected in the wild and reiterating affected branches and upgrade guidance.
Drupal Patches Highly Critical Vulnerability Exposing Websites to Hacking
Eduard Kovacs 2026.05.21 97% relevant
This article is the follow-up patch release for the same Drupal security event, adding the CVE identifier (CVE-2026-9082), technical details about the PostgreSQL SQL injection flaw, impact including possible unauthenticated RCE, and the fixed version branches.
Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks
info@thehackernews.com (The Hacker News) 2026.05.21 97% relevant
This appears to cover the same May 2026 Drupal core security release, adding that the flaw is highly critical, affects PostgreSQL-based Drupal deployments, and can expose affected sites to remote code execution attacks.
Drupal critical update to fix bug with high exploitation risk
Bill Toulas 2026.05.20 100% relevant
This article establishes a new story because it is the initial report of a specific Drupal core security release tied to a high-exploitation-risk vulnerability, and it does not match any existing tracked event.
Clear your calendar, Drupal user: You have a critically urgent patch to install
2026.05.19 98% relevant
This article covers the same pre-disclosure Drupal core security release window for May 20, 2026, adding detail on affected branches including best-effort patches for unsupported 8.9 and 9.5, the advisory's severity characterization, and Drupal's warning to reserve immediate patch time because exploit code could follow quickly.
← Back to all stories