Drupal says hackers are already trying to exploit CVE-2026-9082, a highly critical SQL injection flaw affecting its database abstraction API and PostgreSQL sites. The company urges immediate updates after confirming real-world exploitation attempts, while warning that older Drupal 8 and 9 branches remain risky even with best-effort patches. #Drupal #CVE-2026-9082 #GoogleMandiant #MichaelMaturi #PostgreSQL #Symfony #Twig
Keypoints
- Drupal warned of active exploitation attempts against CVE-2026-9082.
- The flaw is an unauthenticated SQL injection issue in Drupalβs database abstraction API.
- Successful exploitation could lead to remote code execution, privilege escalation, and data disclosure.
- The vulnerability affects multiple Drupal branches, including several 10.x, 11.x, and older 8.x releases.
- Administrators are urged to upgrade immediately, even if they do not use PostgreSQL.