Critical Drupal Core Vulnerability Exposes Websites to Attacks

The Drupal Security Team released SA-CORE-2026-004 addressing CVE-2026-9082, a highly critical unauthenticated SQL injection in Drupal core's database abstraction API that can allow raw SQL execution against PostgreSQL-backed sites; patches for all supported branches and mitigation guidance are provided and immediate updates are strongly recommended to prevent data disclosure, privilege escalation, or possible remote code execution.