Drupal core CVE-2026-9082 — pre-auth SQL injection, CISA KEV, active exploitation confirmed; NCSC.ch flipped to "actively exploited"

If you did nothing this week: an internet-exposed Drupal site on PostgreSQL was anonymously SQL-injectable, and exploitation is now confirmed in the wild. Drupal pre-warned an emergency advisory via PSA-2026-05-18, shipped SA-CORE-2026-004 on 2026-05-21, and by 2026-05-23 the advisory was updated to confirm exploit attempts, CISA had KEV-listed it, and NCSC Switzerland flipped its Cyber Security Hub post 12584 to "Actively exploited."

CVE-2026-9082 is a "highly critical" pre-authentication SQL injection in the Drupal core database abstraction layer, exploitable only against PostgreSQL backends. Drupal is widely deployed across Swiss and EU public-administration web estates; the PostgreSQL-only condition narrows but does not eliminate exposure. Apply the SA-CORE-2026-004 fixed core release immediately; if you cannot patch a PostgreSQL-backed Drupal site, take it off the public internet until you can.