At the core of CVE-2026-9082 is a breakdown in how external input is sanitized before reaching the database abstraction layer. Specifically, the vulnerability resides within the PostgreSQL database driver (pgsql/src/EntityQuery/Condition.php) when handling array structures passed from HTTP requests. When a user submits a query string, PHP's parser allows the creation of arrays which allow the attacker to control the array keys , not just the values. The JSON:API module (and similar pipelines like Views) preserves these array keys through the entire execution flow. The unsanitized keys move from the initial HTTP request into the EntityQuery construction, and are eventually passed directly to the database driver. This vulnerability requires a specific environmental stack to be exploitable. You are at risk if your Drupal site uses a PostgreSQL database and relies on the JSON:API, Views, or related routing modules.…