Planned Security Release Window
The Drupal Security Team has announced an urgent core security release scheduled for May 20, 2026, between 5:00 p.m. and 9:00 p.m. UTC. The development team behind this widely used PHP content management system is advising all site administrators to block time during this window to apply necessary updates. According to the official advisory, exploits could surface within hours or days after the patch becomes available, making immediate action critical for affected configurations.
Affected Versions and Recommended Actions
Security patches will be issued for all currently supported Drupal core branches, including versions 11.3.x, 11.2.x, 10.6.x, and 10.5.x. Administrators are instructed to update their sites to the latest patch release for their respective branch ahead of the May 20 window. For sites running older but still supported minor versions like 11.1.x or 10.4.x, Drupal has provided transitional patches. Those on end-of-life major versions such as Drupal 8 and 9 will need to manually apply patch files, though the team cautions there is no guarantee these fixes will work correctly and warns they may introduce regressions. The exact nature of the vulnerability has not been disclosed, but the urgency of the announcement suggests a serious security flaw.
Source: The Hacker News
