Drupal is warning users that it’s already seeing attempts to exploit CVE-2026-9082, the highly critical vulnerability patched this week.
The vulnerability affects an API designed to ensure that database queries are sanitized to prevent SQL injection.
“A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases,” Drupal explains.
The flaw can be exploited by unauthenticated attackers to obtain information and in some cases for privilege escalation and remote code execution.
Drupal predicted that an exploit for CVE-2026-9082 may be created within hours or days of disclosure and alerted users prior to the patch’s release on May 20.
