1 article
Drupal published SA-CORE-2026-004 on 20 May, disclosing CVE-2026-9082, a highly critical unauthenticated SQL injection vulnerability in Drupal's database abstraction API affecting sites running PostgreSQL. The flaw is zero-click and unauthenticated, and Drupal warned that exploit code turnaround would be measured in hours. CISA added the CVE to the Known Exploited Vulnerabilities catalogue on 22 May after confirmed exploitation.