PostgreSQL

PostgreSQL is an open-source, object-relational database management system first released in 1996, descended from the Ingres and POSTGRES projects at the University of California, Berkeley. It is one of the world's most widely deployed relational databases, favoured for its standards compliance, ACID guarantees, extensibility, and strong support for complex queries, JSON, and geospatial data. PostgreSQL is the default backend for many government, healthcare, and regulated-sector applications, particularly in jurisdictions that require open-source infrastructure for data sovereignty reasons.

In May 2026, PostgreSQL featured directly in a major vulnerability incident: CVE-2026-9082, a Drupal Core SQL injection flaw rated Highly Critical (23/25, CVSS 6.5), affects only Drupal deployments running on PostgreSQL. Drupal's database-abstraction layer handles PostgreSQL-specific query construction differently from MySQL and MariaDB; the injection vector exists in that PostgreSQL-specific code PATH. PostgreSQL accounts for fewer than 5% of Drupal installations globally, but that subset is disproportionately concentrated in government and regulated-sector environments, amplifying the real-world risk.

The CVE-2026-9082 incident is not a flaw in PostgreSQL itself; the vulnerability is in Drupal's query-construction layer. PostgreSQL is the passive surface on which the injection executes. The episode nonetheless illustrates that database selection carries indirect security consequences: where PostgreSQL is mandated for sovereignty reasons, it inadvertently concentrates risk for any application layer vulnerability with a database-backend-specific trigger.