CISA adds actively exploited Drupal SQL injection to KEV

CVE-2026-9082 is a SQL injection vulnerability in Drupal Core. CISA's advisory does not describe the exploitation context (whether targeted or opportunistic) but the KEV Catalog's inclusion threshold requires evidence of active exploitation, not merely proof-of-concept code. The specific remediation due date is listed on the KEV Catalog entry; standard BOD 22-01 timelines apply unless CISA sets a shorter window for this CVE. BOD 22-01 requires FCEB agencies to remediate KEV-listed vulnerabilities by the assigned due date. The directive does not bind contractors directly, but any vendor or subcontractor running Drupal instances that touch federal data or networks inherits the risk. Drupal Core powers a non-trivial share of the .gov web presence, including agency public sites, internal portals, and grant-management platforms. SQL injection has been a known and mitigable attack class for more than twenty years. That it remains the vector on a platform as widely deployed as Drupal is worth noting, even inside a routine catalog update.