Drupal CVE-2026-9082 — disclosure-only Monday to KEV-confirmed-exploited by Friday

A textbook example of why the weekly lens matters: an item that was a pre-patch warning at the start of the week was confirmed exploited in the wild by its end. Drupal pre-announced an emergency advisory via PSA-2026-05-18 (daily 2026-05-20); SA-CORE-2026-004 shipped the "highly critical" pre-auth SQL injection fix on 2026-05-21; and by 2026-05-23 Drupal had updated the advisory to confirm exploit attempts, CISA had KEV-listed it, and NCSC Switzerland had flipped its Cyber Security Hub post 12584 to "Actively exploited." See § 1 for the operational framing — the trajectory itself is the lesson: a PostgreSQL-backed public-sector Drupal site left unpatched across this one week moved from "watch" to "presumed-targeted."