Skip to content

CMS Drupal: Critical Drupal Core Update Announced for May 20

(Image: JLStock/Shutterstock.com). An urgent security update for Drupal Core will be released on the evening of Wednesday, May 20. Admins should install it promptly. The maintainers of the open-source content management system Drupal have announced that they intend to release a critical security update for Drupal Core on the evening of Wednesday, May 20, 2026. IT administrators should install it in a timely manner. In the advance notice of the security patch, the Drupal security team [1] writes that the update is expected to be released between 19 and 23 o’clock local time (17:00-21:00h UTC). The developers point out that admins urgently should take the time to apply the Drupal Core update, as exploits could be developed within hours or days after the fix is released. However, not all Drupal configurations are expected to be equally affected. The programmers have nothing to say yet about the limitations, but admins should check at the time of release whether their instances are affected and require an immediate update. Updates only for supported versions. The updates are actually only intended for the still-supported Drupal Core versions 11.3.x, 11.2.x, 10.6.x and 10.5.x. As an exception, patches for Drupal Core 11.1.x and 10.4.x are now also being added, even though they have already reached the end of the product support cycle. The developers cite the severity of the issue as the reason. The security team is even providing corrected software for Drupal Core 9.5 and 8.9. In order to apply the updates, installations with Drupal Core 11.1 and 11.0 should be updated to version 11.1.9, while the development branches 10.4, 10.3, 10.2, 10.1 and 10.0 require version 10.4.9 first. For the even older versions, Drupal Core 9.5.11 and 8.9.20 are prerequisites. Those still using Drupal Core 7 are not affected by the specific issue. This evening, the availability of the security update will be announced on Drupal’s security page [2] and on social media. Drupal [3] Core admins should check regularly during that time window whether the update is available and apply it immediately. (dmk [5]). URL of this article:. https://www.heise.de/-11300021. Links in this article:. https://www.drupal.org/psa-2026-05-18. https://www.drupal.org/security. https://www.heise.de/thema/Drupal. https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp. mailto:dmk@heise.de. Copyright © 2026 Heise Medien

heise security News

Share on: