Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks

Drupal released security updates for CVE-2026-9082, a vulnerability in its database abstraction API that allows specially crafted requests to trigger arbitrary SQL injection on sites using PostgreSQL; impacts can include information disclosure and, in some cases, privilege escalation or remote code execution. Affected supported branches have updates (Drupal 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, 10.4.10) and manual patches are provided for some end-of-life versions; Drupal 7 is not affected.