CVE-2026-9082 is a critical SQL injection vulnerability (CVSS 9.5) in Drupal Core that moved from patch to mass exploitation in under 48 hours, with over 15,000 documented attack attempts against approximately 6,000 sites across 65 countries. Gaming and financial services organizations account for roughly half of observed targets. Unauthenticated exploitation is indicated by available sourcing. Any internet-facing Drupal instance on an affected version requires immediate patching or WAF-based containment.