Drupal: Critical SQL injection flaw now targeted in attacks

Drupal disclosed CVE-2026-9082, a highly critical SQL injection vulnerability in its database abstraction API that allows unauthenticated exploitation on sites using PostgreSQL. Exploit attempts have been observed in the wild; site owners are urged to upgrade affected Drupal branches immediately (multiple 8.x–11.x versions listed) and apply the latest security updates even if not using PostgreSQL due to upstream fixes.