CVE-2026-9082 is an unauthenticated SQL injection in Drupal core, and the project rated it 23 out of 25 — "highly critical," its top tier. It only bites sites backed by PostgreSQL; MySQL, MariaDB, and SQLite deployments are unaffected. Fixes landed May 20 across the supported branches (10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, 11.3.10), and CISA added the bug to its KEV catalog two days later. Then the requests poured in. One firm logged more than 15,000 attempts across roughly 6,000 sites in 65 countries inside 48 hours — much of it still reconnaissance, mapping which instances are exploitable, with gaming and financial-services sites drawing nearly half the volume. Crafted input can read or alter database contents, escalate privileges, and in some configurations reach remote code execution. If you run Postgres-backed Drupal and skipped the May 20 release, treat this as urgent.