CISA adds Drupal Core SQL injection CVE-2026-9082 to KEV Catalog
BOD 22-01 triggers a binding remediation deadline for FCEB agencies; contractors on federal networks should treat this as equally urgent.
TL;DR
CISA added CVE-2026-9082, a Drupal Core SQL injection vulnerability, to the Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. Federal Civilian Executive Branch agencies are bound by Binding Operational Directive 22-01 to remediate by the catalog-assigned due date. The source advisory does not specify that deadline or confirm patch availability from Drupal maintainers. Contractors supporting federal networks should patch or mitigate without waiting for agency direction.
CISA added CVE-2026-9082, a SQL injection vulnerability in Drupal Core, to the Known Exploited Vulnerabilities Catalog on May 22, 2026. Active exploitation is confirmed; the advisory does not specify a remediation due date or whether a Drupal maintainer patch is available, so agencies and contractors should consult the KEV Catalog directly for the current deadline and patch status.
BOD 22-01 binds Federal Civilian Executive Branch agencies to remediate every cataloged CVE by its assigned due date. Non-federal contractors supporting FCEB networks are not legally bound but face practical disqualification risk if unpatched systems are discovered during assessments. SQL injection in a content management platform like Drupal can expose backend databases to exfiltration or manipulation, making delayed patching a network-integrity issue, not just a compliance checkbox.
Published ·Updated ·Deep Fathom