Overview
- A database abstraction bug tracked as CVE-2026-9082 lets unauthenticated attackers send crafted requests that inject arbitrary SQL on Drupal sites using PostgreSQL, which can lead to information disclosure, privilege escalation, or remote code execution.
- Drupal released coordinated security updates during its May 20 release window and warned administrators to apply fixes immediately for supported branches, with manual guidance provided for some end-of-life 8.x and 9.x releases.
- Security firms reported rapid probing after disclosure, with Imperva observing more than 15,000 attack attempts aimed at nearly 6,000 sites across about 65 countries and many probes focused on gaming and financial services.
- The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog and recommended accelerated remediation timelines for federal civilian agencies.
- Although Drupal estimates fewer than 5 percent of installations use PostgreSQL, the bug affects high-value government and enterprise sites and past Drupal incidents show reconnaissance can quickly turn into large-scale compromises.