Drupal Releases Highly Critical Security Patch for SQL Injection Vulnerability

Drupal released a highly critical security patch on May 20 for CVE-2026-9082, a SQL injection vulnerability affecting sites using PostgreSQL databases. The flaw allows unauthenticated attackers to compromise vulnerable systems, with active exploitation detected within 48 hours of the patch’s release. Drupal’s maintainers had warned that exploits could emerge rapidly following the disclosure. The vulnerability specifically impacts Drupal installations configured with PostgreSQL, though no additional technical details on the attack vectors were provided. No attribution or threat actor details were disclosed in the report.