Drupal Core SQL Injection Bug Hits CISA KEV

Drupal Core SQL Injection Now on CISA's Known Exploited Vulnerabilities List

A SQL injection vulnerability in Drupal core is being actively exploited in the wild, and CISA has officially added it to the Known Exploited Vulnerabilities (KEV) catalog. That designation carries weight. Federal agencies have a mandated remediation deadline, and the broader developer community should treat it as a strong signal that this bug is being weaponized at scale right now.

The Drupal SQL injection flaw allows attackers to manipulate database queries through unsanitized user input. If your site is running an unpatched version, you are exposed.

How the SQL Injection Vulnerability Works in Drupal

SQL injection at the framework level is particularly dangerous because it bypasses application-layer defenses. In Drupal's case, the flaw exists in a core component, meaning it isn't limited to a specific contributed module or theme. Attackers can craft malicious HTTP requests that inject SQL syntax directly into database queries Drupal constructs internally.

The result depends on database permissions and configuration, but typical outcomes include unauthorized data extraction, authentication bypass, and in some configurations, remote code execution through database features like xp_cmdshell (MSSQL) or INTO OUTFILE (MySQL). Drupal sites commonly run on MySQL or MariaDB, so file-write and data-dump attacks are the most realistic threat vectors here.

Exploitation doesn't require authentication in the reported attack chains. That dramatically lowers the bar for attackers and explains why active exploitation picked up quickly after disclosure.

What's at Risk for Developers and Site Owners

Any Drupal site running a vulnerable core version is a target. The risk isn't abstract. Active exploitation means automated scanners and human attackers are already probing for this flaw across the internet.

Data exposure is the immediate concern. User credentials, session tokens, private content, and any personally identifiable information stored in the database are all reachable through a successful SQL injection attack. For sites handling e-commerce, healthcare data, or government content, the blast radius is significant.

Secondary risks include persistent backdoors. Attackers who gain database write access can insert malicious content, create rogue admin accounts, or drop web shells if file-system permissions allow it. Cleaning up after a SQL injection compromise is substantially harder than patching before one.

How to Protect Your Drupal Site Against SQL Injection Attacks

Patch immediately. Drupal's security team has released a fix, and there is no good reason to delay. Run composer update drupal/core or use the Drupal admin update interface if your site still uses the legacy update mechanism.

After patching, take these additional steps:

• Audit your database user permissions. The Drupal database user should have only SELECT, INSERT, UPDATE, and DELETE rights. No FILE privileges, no SUPER, no EXECUTE.
• Review access logs. Look for unusual query patterns, unexpected POST requests to core paths, or error spikes around the disclosure date.
• Enable a web application firewall (WAF). A WAF won't substitute for patching, but it can block known exploit payloads while you work through your update cycle.
• Run a full vulnerability scan. Use an automated scanner to verify the patch applied correctly and check for any other exposed attack surfaces.

You can scan your Drupal site for SQL injection and other vulnerabilities at VibeWShield's free scanner. For more on CMS-specific security issues, see our guide to web application vulnerability scanning.

FAQ

Which Drupal versions are affected by this SQL injection bug? The vulnerability affects specific Drupal core versions prior to the patched releases. Check the official Drupal security advisory for the exact version range and update to the latest stable release immediately.

Does enabling Drupal's caching layer prevent exploitation? No. Caching can reduce the attack surface in some scenarios, but it does not sanitize or block malicious database queries. Patching the core vulnerability is the only reliable fix.

How do I verify my site was not already compromised before I patched? Review server and database logs for anomalous query patterns around the vulnerability disclosure date. Check for new admin accounts, unexpected file modifications in the webroot, and any outbound connections from your web server to unfamiliar IPs.

Scan your Drupal site for SQL injection and other active vulnerabilities now at VibeWShield.