The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-9082, a SQL injection flaw in Drupal Core, to its catalog of known exploited vulnerabilities, indicating active real-world attacks are already underway. Federal agencies are required to patch the vulnerability under Binding Operational Directive 22-01, and CISA is urging all organizations to prioritize remediation.