Drupal patches highly critical SQL injection (CVE-2026-9082) — exploited in the wild within 48h
An unauthenticated SQL injection in Drupal core's database abstraction API affects every PostgreSQL-backed site. Drupal scored it 23/25. Attacks started two days after the patch dropped.