Drupal has issued an alert stating that it plans to release a “Core Security Release” for all supported branches on May 20, 2026 from 5:00 PM to 9:00 PM (UTC).
A maintainer of a PHP-based content management system (CMS) said, “The Drupal security team recommends that you allow time for core updates at that time, as exploits may be developed within hours or days.”
“Not all configurations are affected. Please reserve time during the release period on May 20th to determine if your site is affected and needs to be updated immediately. Mitigation information will be included in the advisory.”
We recommend that you update to the latest supported patch for your site’s Drupal version before the deadline to address any outstanding upgrade issues.
Patches will be available in the following supported branches of Drupal core:
11.3.x 11.2.x 10.6.x 10.5.x
“Sites using one of these supported versions should update to the latest patch release for the applicable branch in preparation for the security period,” Drupal said.
The exact nature of the security issue being addressed is unknown at this stage, but we expect it to be serious, given that Drupal offers 11.1.x and 10.4.x releases for sites running end-of-life minor core versions. Before the scheduled update period –
Sites on Drupal 11.1 or 11.0 must be updated to at least Drupal 11.1.9. Sites on Drupal 10.4, 10.3, 10.2, 10.1, or 10.0 must be updated to at least Drupal 10.4.9.
The idea is that these sites should apply the security update as soon as it’s released on May 20th and upgrade to Drupal 11.3 or 10.6 in the near future.
If your site is still using a major core version that is no longer supported, such as Drupal 8 or 9, you will need to manually apply the Drupal 8.9 and 9.5 patch files. However, Drupal cautioned that there is no guarantee that the fix will work correctly, adding that it may cause other issues or regressions.
“However, it may help reduce vulnerabilities for sites that still have older major versions until they upgrade to a supported release,” Drupal said.
“We strongly recommend that Drupal 8 or 9 sites update to at least Drupal 10.6 immediately. Drupal 8 and 9 contain numerous other previously disclosed security vulnerabilities that cannot be addressed by Drupal Steward or best-effort patch files.”
Drupal also states that Drupal 7 is not affected by this issue. We recommend that sites using any version of Drupal 9 update to 9.5.11. Sites using any version of Drupal 8 should update to Drupal 8.9.20.
Source link
