Drupal has released patches for a highly critical SQL injection vulnerability (CVE-2026-9082) in its database abstraction API. The flaw allows unauthenticated remote attackers to exploit PostgreSQL-backed Drupal sites, potentially leading to data theft, modification, and in some configurations, privilege escalation or remote code execution. No exploitation has been observed yet, but a public detection PoC and reproduction lab were published on the same day as the advisory.

Patches are available for Drupal 11.3.x, 11.2.x, 11.1.x, 10.6.x, 10.5.x, and 10.4.x. Sites running MySQL or SQLite are not affected.

For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.