DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/ARCHIVE/CVE
DMZ INTEL DESK//FILED: 2026-05-26//08:46Z
CRITICAL#cve

CVE-2026-9082: Unauthenticated SQLi in Drupal Core (PostgreSQL) Under Mass Exploitation; CISA KEV Added, 15K Attack Attempts Observed

CVE-2026-9082, a highly critical (Drupal score 23/25) unauthenticated SQL injection flaw in Drupal's database abstraction API affecting PostgreSQL-backed installations across versions 8.9 through 11.3.9, moved from patch release to active in-the-wild exploitation in under 48 hours. Imperva observed over 15,000 attack attempts targeting nearly 6,000 individual sites across 65 countries, with gaming and financial services sites comprising nearly 50% of targets. CISA added the flaw to its KEV catalog on May 22 with a May 27 remediation deadline for federal agencies; defenders should note that sites not on PostgreSQL still require patching due to bundled Symfony and Twig upstream fixes.

CISA added the flaw to its KEV catalog on May 22 with a May 27 remediation deadline for federal agencies; defenders should note that sites not on PostgreSQL still require patching due to bundled Symfony and Twig upstream fixes.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the critical severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:
cve-2026-9082 · drupal · sql-injection · postgresql · cisa-kev · unauthenticated-rce · imperva · web-cms · active-exploitation
STAY AHEAD OF THREATS
Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.
SUBSCRIBE — $29/MO →
SHARE BRIEF:✕ Post on Xin Share on LinkedIn

RELATED CVES

CVE
CVE-2026-9082
Drupal Core PostgreSQL Unauthenticated SQL Injection
CVSS 9.8

MORE FROM ARCHIVE

# CVE
2026-05-23
CVE-2026-20223 (CVSS 10.0): Unauthenticated REST API Auth Bypass in Cisco Secure Workload Grants Cross-Tenant Site Admin Privileges
# CVE
2026-05-22
CVE-2024-12802 SonicWall Gen6 SSL-VPN MFA Bypass Actively Exploited by Ransomware-Linked IAB — Firmware Patch Alone Insufficient Due to Six Missed LDAP Reconfiguration Steps