Drupal said it will release a core security update later today and warned that threat actors could develop exploits within hours of the disclosure. Site administrators were told to set aside time for updates on May 20 between 17:00 and 21:00 UTC.
KEY FACTS
- Affected versions The issue affects Drupal core versions 8 and later, though not all configurations are impacted.
- Fixes planned Updates will be released for 11.3.x, 11.2.x, 11.1x, 10.6.x, 10.5.x, and 10.4x.
- End-of-life branches Versions 11.1x and 10.4x will still get fixes, while 8 and 9 will not receive patches.
- Hotfixes Drupal plans hotfix files for 9.5 and 8.9 for those running 9.5.11 or 8.9.20.
Administrators running versions 8 or 9 were urged to upgrade to at least version 10.6. Drupal said sites using Drupal Steward are already protected against known attack vectors, although an update is still recommended.
The advisory did not disclose technical details about the flaw. Drupal also warned that any information circulating online before the announcement could be fraudulent and intended to trick administrators into risky actions.
Website operators were told to monitor the platform’s official security portal throughout the day and apply the update as soon as it becomes available.
WHY IT MATTERS
The disclosure affects a widely used content management system deployed by large organizations and by government, education and healthcare sites. A rapid patch window and limited support for older versions mean administrators may need to move quickly to reduce exposure once the fix is released.