CVE-2026-9082 is a vulnerability in Drupal's API that sanitizes database queries for PostgreSQL databases. It allows attackers to send specially crafted requests without authentication, resulting in arbitrary SQL injection. This can lead to information disclosure, privilege escalation, and remote code execution on affected Drupal sites. The vulnerability has a NIST CVSS score of 20 out of 25, indicating a highly critical severity. Drupal has released patches for versions 11.3, 11.2, 10.6, and 10.5.x to address this issue. Additionally, updates include fixes for important vulnerabilities in Symfony and Twig dependencies. The vulnerability affects only Drupal sites using PostgreSQL and no exploitation in the wild has been reported as of the publication date.

The vulnerability allows unauthenticated attackers to perform arbitrary SQL injection on Drupal sites using PostgreSQL, potentially leading to information disclosure, privilege escalation, and remote code execution. This poses a critical risk to the confidentiality, integrity, and availability of affected websites. Given Drupal's widespread use, vulnerable sites could be severely compromised if not patched promptly. However, the impact is limited to sites using PostgreSQL databases. No known exploitation in the wild has been reported at the time of disclosure.

Official patches are available for Drupal versions 11.3, 11.2, 10.6, and 10.5.x and should be applied immediately to mitigate this vulnerability. Additionally, Drupal recommends updating Symfony and Twig dependencies to address related upstream vulnerabilities. Organizations should verify their Drupal site configurations to confirm if PostgreSQL is used and prioritize patching accordingly. Since this is a server-hosted CMS, applying the official updates is the primary and effective mitigation.