Postgresql
Drupal SA-CORE-2026-004: Highly Critical Unauthenticated SQL Injection Hits PostgreSQL Sites
CVE-2026-9082 is a highly critical SQL injection in Drupal core's database abstraction API. Anonymous attackers can run arbitrary SQL against PostgreSQL-backed sites. Patches dropped May 20; exploitation is expected within days.
CloudNativePG CVE-2026-44477: Metrics Exporter Escalates Any DB User to Postgres Superuser and Host RCE
A residual session_user=postgres in CloudNativePG's metrics exporter lets any low-privileged database user RESET ROLE back to superuser and reach OS-level command execution via COPY TO PROGRAM. CVSS 9.4. Patched in 1.28.3 and 1.29.1.
CVE-2026-34612: Kestra SQL Injection Chains to Host RCE via PostgreSQL COPY TO PROGRAM
Critical CVSS 9.9 flaw in Kestra orchestration platform lets authenticated attackers chain SQL injection through PostgreSQL COPY TO PROGRAM for arbitrary command execution on the Docker host.
36 Malicious npm Packages Disguised as Strapi Plugins Deploy Redis Exploits, PostgreSQL Credential Harvesting, and Persistent Implants
A coordinated campaign planted 36 fake Strapi CMS plugins on npm that exploit Redis and PostgreSQL instances, harvest credentials, and install persistent C2 implants targeting production infrastructure.