Drupal has issued an alert stating that it intends to launch a “core security launch” for all supported branches on Might 20, 2026, from 5-9 p.m. UTC.
“The Drupal Safety Crew urges you to order time for core updates at the moment as a result of exploits could be developed inside hours or days,” the maintainers of the PHP-based content material administration system (CMS) stated.
“Not all configurations are affected. Reserve time on Might 20 throughout the launch window to find out whether or not your websites are affected and in want of a direct replace. Mitigation info will probably be included within the advisory.”
It is being suggested to replace to the most recent supported patch for the location’s model of Drupal earlier than the deadline in order that any excellent improve points could be addressed.
Patches are anticipated to be out there for the next supported branches of Drupal core –
- 11.3.x
- 11.2.x
- 10.6.x
- 10.5.x
“Websites on considered one of these supported variations ought to replace to the most recent patch launch for the given department now in preparation for the security window,” Drupal stated.
The precise nature of the security difficulty being addressed is unknown at this stage, nevertheless it’s anticipated to be extreme provided that Drupal is offering 11.1.x and 10.4.x releases for websites working end-of-life minor core variations. Forward of the deliberate replace window –
- Websites on Drupal 11.1 or 11.0 ought to replace to at the least Drupal 11.1.9.
- Websites on Drupal 10.4, 10.3, 10.2, 10.1, or 10.0 ought to replace to at the least Drupal 10.4.9.
The thought is that these websites ought to apply the security replace as quickly as it’s launched on Might 20, after which improve to Drupal 11.3 or 10.6 within the close to future.
For websites nonetheless on end-of-life main core variations, reminiscent of Drupal 8 and 9, patch information for Drupal 8.9 and 9.5 will should be utilized manually. Nevertheless, Drupal has warned that there isn’t any assure the fixes will work accurately, including that they might introduce different points or regressions.
“Nevertheless, they might assist mitigate the vulnerability for websites nonetheless on these previous main variations till they improve to a supported launch,” Drupal stated.
“We strongly suggest Drupal 8 or 9 websites replace to at the least Drupal 10.6 quickly. Drupal 8 and 9 embody quite a few different, beforehand disclosed, security vulnerabilities that won’t be addressed by both Drupal Steward or the best-effort patch information.”
Drupal additionally famous that Drupal 7 isn’t affected by the problem. Websites on any model of Drupal 9 are suggested to replace to 9.5.11, and people on any model of Drupal 8 ought to replace to Drupal 8.9.20.
