CVE-2026-9082: Drupal’s Highly Critical SQL Injection Flaw Is Already Under Active Attack

Drupal released a patch for a highly critical SQL injection vulnerability (CVE-2026-9082) on May 20 that allows unauthenticated attackers to inject arbitrary SQL on sites using PostgreSQL; attackers began active exploitation within 48 hours, with firms observing thousands of attack attempts across nearly 6,000 sites in 65 countries. The flaw can lead to information disclosure, privilege escalation, and potentially remote code execution in some configurations; administrators are urged to patch immediately and investigate suspicious database activity.