The gist: Drupal warns of a critical security vulnerability with high exploitation risk. An update is available today between 17:00-21:00 UTC. Administrators should watch for suspicious information online and monitor the official security portal.
Drupal has announced a “core security release” for today to fix a vulnerability that could be exploited by threat actors shortly after publication. Administrators should plan for the update between 17:00 and 21:00 UTC.
The popular content management system Drupal is warning website operators of a critical security vulnerability and has announced an urgent update for today. The vulnerability affects Drupal core versions starting from 8.0, although not all configurations are affected.
Security updates are being provided for several versions: the current versions 11.3.x, 11.2.x and 10.6.x through 10.4.x, as well as the no longer supported versions 11.1.x and 10.4.x. For these older versions, a patch is being offered due to the severity of the security vulnerability.
The end-of-life versions 8 and 9 will not receive patches, but for versions 9.5 and 8.9, hotfix files will be published with which older installations can also be protected.
The Drupal security team has explicitly stated that no technical details about the vulnerability have been disclosed. Administrators should be wary of possibly fraudulent information on the internet that could mislead them into taking unsafe measures. The official Drupal security portal should be monitored regularly to obtain current information and to apply the update promptly.