**Drupal** is warning administrators that hackers are actively attempting to exploit a "highly critical" SQL injection vulnerability announced earlier this week. The content management system (CMS) project initially published a PSA on May 18, urging administrators to apply core updates addressing an issue that threat actors were expected to exploit rapidly. ### CVE-2026-9082 Details The flaw, tracked as **CVE-2026-9082**, was discovered by **Google/Mandiant** researcher Michael Maturi. It resides within Drupal’s database abstraction API, allowing specially crafted requests to trigger arbitrary SQL injection on sites using **PostgreSQL**. SQL injection is a critical vulnerability where attackers inject malicious SQL commands into database queries via user input fields or dialogs on websites. This can lead to unauthorized access, modification, or deletion of database data. The vulnerability is exploitable without authentication, increasing its severity and potential impact. In an updated advisory on May 22, Drupal officially confirmed that exploitation attempts have been detected in the wild. “The risk score has been updated to reflect that exploit attempts are now being detected in the wild,” reads the updated advisory. Drupal has internally rated the vulnerability as “highly critical,” assigning it a score of 23 out of 25. However, the **NIST** has rated it as “medium severity” based on a CVSS v3 score of 6.5. ### Impact and Recommendations CVE-2026-9082 impacts a broad range of Drupal versions, including: * Drupal 8.9.x * Drupal 10.4.x before 10.4.10 * Drupal 10.5.x before 10.5.10 * Drupal 10.6.x before 10.6.9 * Drupal 11.0.x / 11.1.x before 11.1.10 * Drupal 11.2.x before 11.2.12 * Drupal 11.3.x before 11.3.10 Website owners and administrators are strongly advised to upgrade immediately to the latest available version for their respective branch. Even those not using PostgreSQL are encouraged to update, as the latest security updates include fixes for upstream dependencies, including **Symfony** and **Twig**. The advisory emphasizes that Drupal 8 and 9 are end-of-life (EoL), and patches are provided on a “best-effort” basis. However, these branches still contain other known vulnerabilities, making their continued use inherently risky.