Cyber·Monitoring
Shai-Hulud Supply-Chain Attack Trojanizes 19 PyPI Packages
PyPI repository (global online service)· Global4 Jun
5 reportsPROPCYCAS
MediumAI Refreshed
ClosedMedium impactAI Generated
Drupal Critical SQL Injection Vulnerability CVE-2026-9082 Actively Exploited
Occurred 18 May 2026·Detected 22 May 2026·
Global — affects any organisation running vulnerable Drupal versions with PostgreSQL1 reportEnded 29 May 2026
CyberPropertyCyberCasualty & Liability
A critical SQL injection vulnerability (CVE-2026-9082) in Drupal's database abstraction API is being actively exploited in the wild. The flaw affects sites using PostgreSQL and allows unauthenticated attackers to execute arbitrary SQL commands, potentially leading to remote code execution, privilege escalation, and data theft. Drupal rated the vulnerability 23/25 (highly critical) and confirmed exploitation attempts on May 22, 2026, following initial disclosure on May 18. Administrators are urged to upgrade immediately to patched versions.
AI-generated from linked source reports. See our correction policy.
Impact verdict
Medium impact. MEDIUM: Second-pass historical recalibration. This cyber advisory or vulnerability item is relevant to Cyber and technology-dependent Property/Casualty books, but it does not evidence confirmed insured loss, claims activity, ransomware/business interruption, critical infrastructure outage, or quantified market impact sufficient for HIGH.
View assessment methodologyHow we grade what we know -- Known · Reported · Uncertain. Methodology →
Intelligence ledger
Each line expands in place to its underlying sourced claim.
Known6 lines
CVE-2026-9082 affects Drupal's database abstraction API on PostgreSQL-backed sites▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Exploitation attempts confirmed in the wild as of May 22, 2026▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Vulnerability is exploitable without authentication▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Affected versions include Drupal 8.9.x, 10.4.x through 10.6.x, and 11.0.x through 11.3.x▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Discovered by Google/Mandiant researcher Michael Maturi▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Drupal rated severity 23/25; NIST assigned CVSS v3 score of 6.5 (medium)▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Reported2 lines
Exploitation may lead to remote code execution, privilege escalation, and information disclosure▾
structured linereported
No separate sourced-claim record is available for this line yet.
Drupal 8 and 9 are end-of-life but patches provided on best-effort basis▾
structured linereported
No separate sourced-claim record is available for this line yet.
Uncertain3 lines
Scale and identity of threat actors conducting exploitation attempts unknown▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Number of compromised sites or data exfiltrated not yet disclosed▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Whether exploitation has progressed beyond scanning/probing to full compromise is unconfirmed▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Timeline
Status Change2 Jun 2026, 13:05
Lifecycle changed
monitoring → closed
Closure2 Jun 2026, 13:05
Event Closed
auto_closed_monitoring_timeout
Status Change29 May 2026, 05:30
Status changed to monitoring
Auto-transitioned: no updates for 6 hours
active → monitoring
Status Change28 May 2026, 22:36
Status changed to active
remediation: existing authoritative signal
signal → active
Initial Detection22 May 2026, 14:38
Initial Detection
A critical SQL injection vulnerability (CVE-2026-9082) in Drupal's database abstraction API is being actively exploited in the wild. The flaw affects sites using PostgreSQL and allows unauthenticated attackers to execute arbitrary SQL commands, potentially leading to remote code execution, privilege escalation, and data theft. Drupal rated the vulnerability 23/25 (highly critical) and confirmed exploitation attempts on May 22, 2026, following initial disclosure on May 18. Administrators are urged to upgrade immediately to patched versions.
The risk score has been updated to reflect that exploit attempts are now being detected in the wild. The flaw is exploitable without authentication and could result in remote code execution, privilege escalation, and information disclosure.
Source: BleepingComputer (Trade Media) · View source
Lloyd's classifications
Tracking this kind of risk? Get an email when Cyber events escalate.
Get alerts