Drupal Is Being Actively Exploited Right Now: What UK Small Businesses Need to Do Today
Two vulnerabilities confirmed under active exploitation. One affects a CMS used by millions of websites. The other gives attackers root access to web servers. Both have patches available. The question is whether anyone has applied them to your site.
This is not theoretical risk. This is happening now.
CVE-2026-9082: The Drupal Flaw That Requires No Password
Drupal is a content management system (CMS), the software that powers a significant number of charity websites, professional services firms, local business sites, and e-commerce operations across the UK.
CVE-2026-9082 is a SQL injection vulnerability in Drupal’s core database handling layer, specifically in how it processes queries when using PostgreSQL as the database backend. SQL injection means an attacker can send a specially crafted request to your website that the database interprets as a legitimate instruction. The database then executes that instruction, which can include extracting its entire contents.
The critical detail: this requires no authentication. An attacker does not need a username, a password, or an account on your site. They point a tool at your URL and send the malicious query. If you’re unpatched, your database responds.
CISA, the US government’s Cybersecurity and Infrastructure Security Agency, added CVE-2026-9082 to its Known Exploited Vulnerabilities (KEV) catalogue on 23 May 2026. The KEV list is not a speculative risk assessment. Entry requires confirmed evidence of active exploitation in the wild. CISA recorded over 15,000 exploitation attempts targeting this flaw across 65 countries within the first 48 hours of public disclosure.
The patching deadline set by CISA is 27 May 2026. That deadline has now passed or is passing as you read this.
CVE-2026-48172: The Hosting Vulnerability Rated Perfect 10
The second story running in parallel is CVE-2026-48172, a flaw in the LiteSpeed User-End cPanel Plugin. LiteSpeed is a web server software commonly used by hosting providers. cPanel is the administration interface used by millions of shared and managed hosting accounts.
This vulnerability carries a CVSS score of 10.0. That is the maximum possible severity rating. It allows a cPanel user to run arbitrary scripts with root-level privileges on the underlying server. Root access means full control: read any file, install any software, create any account, exfiltrate any data held on that server.
The flaw affects LiteSpeed plugin versions 2.3 through 2.4.4. It has been confirmed as actively exploited in the wild.
If your business website is hosted on a shared or managed hosting platform, there is a meaningful probability that your hosting provider runs LiteSpeed and cPanel. You will not have applied this patch yourself. Your hosting provider needs to have done it. The question is whether they have.
Why These Two Vulnerabilities Matter to a 10-Person UK Business
Neither of these flaws requires a sophisticated attacker. Both have exploit code available. Both are being hit by automated scanning tools that probe thousands of URLs per hour, looking for unpatched installations.
Your website does not need to be a high-value target. It just needs to be reachable.
If your Drupal site is successfully exploited via CVE-2026-9082, the attacker extracts your database. Depending on what your site does, that database may contain customer names and email addresses, order histories and payment references, contact form submissions, staff login credentials, and any other structured data your site stores.
Under UK GDPR, a personal data breach of this nature requires a report to the ICO within 72 hours if it is likely to result in risk to individuals. The ICO has issued enforcement notices and fines to organisations that failed to patch known vulnerabilities in a reasonable timeframe. “We didn’t know” is not a defence when the patch was publicly available.
If your hosting server is compromised via CVE-2026-48172, the scope is wider. Attackers with root access can install persistent backdoors, intercept traffic, pivot to other services on the same infrastructure, and use your server as a launchpad for attacks on others. Shared hosting environments mean other businesses on the same server may also be affected.
How to Turn This Into a Competitive Advantage
Most of your competitors are not having this conversation with their clients or suppliers. Most small business owners do not know what version of Drupal their website runs, or whether their hosting provider has patched a maximum-severity vulnerability.
If you do know, and you act, you are in a meaningfully different position.
For professional services firms: demonstrating that you actively monitor and respond to security advisories affecting your client-facing systems is a differentiator. Put it in your service terms. Reference it in due diligence responses. Document the action you took this week.
For businesses seeking Cyber Essentials certification: vulnerability management, specifically the patching of known critical vulnerabilities within 14 days, is a core requirement. Acting on CVE-2026-9082 and CVE-2026-48172 this week is documented evidence of a functioning patch management process.
For supply chain participants: larger organisations increasingly require evidence of security posture from their suppliers. Being able to demonstrate that you track and respond to CISA KEV alerts puts you ahead of the majority of SMBs in any procurement conversation.
Making the Business Case
Three points for any conversation with a director or budget holder:
The breach cost calculation is straightforward. A database containing customer personal data, once exfiltrated, triggers ICO notification obligations, potential fines, and reputational exposure. The ICO has fined organisations significantly smaller than enterprise for preventable breaches. The cost of patching is zero if your agency is competent. The cost of not patching is potentially existential.
The patch exists. This is not a zero-day with no available fix. Drupal released the patched version. LiteSpeed released a fixed plugin. The remediation is applying an update that is already available. The risk-to-effort ratio for doing nothing is indefensible.
Regulators use CISA KEV as a reference point. The ICO and NCSC both align with CISA’s active exploitation assessments when evaluating whether an organisation took reasonable steps. Being unpatched against a KEV-listed vulnerability after the published deadline is a documented failure of reasonable care.
What to Do Before the End of Today
1. Find out what CMS your website runs. If you do not know, ask your web agency or the person who built your site. If the answer is Drupal, proceed immediately to step two.
2. Ask your web agency or MSP a specific question: “Has CVE-2026-9082 been patched on our Drupal installation? What version are we currently running?” Require a written response. If they cannot answer within the day, that tells you something important about their patch management capability.
3. Ask your hosting provider about CVE-2026-48172. Log in to your hosting control panel and check whether you use cPanel. If yes, contact your host and ask specifically whether the LiteSpeed cPanel plugin has been updated beyond version 2.4.4. If your host cannot confirm this, consider whether your hosting arrangement is adequate.
4. Check your ICO registration and breach procedure. If either of these vulnerabilities has been exploited against your systems, the clock on ICO notification has already started. Know where your breach response procedure is and who is responsible for making the notification.
5. Document the actions you took today. Date-stamped records of vulnerability checks and patch confirmations are evidence of reasonable care. They matter if a breach occurs later and you need to demonstrate due diligence.
| Source | Article |
|---|---|
| CISA | Known Exploited Vulnerabilities Catalogue |
| The Hacker News | Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV |
| TheCyberThrone | CVE-2026-9082: Drupal Core SQL Injection |
| The Hacker News | LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root |
| NCSC | Vulnerability Management Guidance |
| ICO | Security under UK GDPR |
| NIST NVD | CVE-2026-9082 Detail |
| NIST NVD | CVE-2026-48172 Detail |