The Drupal Security Team has released SA-CORE-2026-004, confirming that the highly critical issue previewed in yesterday’s advance advisory is an anonymous SQL injection vulnerability affecting Drupal sites running PostgreSQL databases. The flaw, tracked as CVE-2026-9082, exists in Drupal core’s database abstraction API and can lead to information disclosure, privilege escalation, and potentially remote code execution. The coordinated release also includes upstream Symfony and Twig security fixes, prompting update recommendations for all supported Drupal installations regardless of database configuration.