Drupal is releasing an emergency core security update on May 20 between 17:00 and 21:00 UTC. Pre-disclosure advisory PSA-2026-05-18 rates the issue 'highly critical' (20 of 25 on Drupal's scoring) and notes access complexity 'None' and authentication 'None' - meaning the underlying flaw is unauthenticated and easy to trigger. Patches will land for the supported 11.3.x, 11.2.x, 10.6.x, and 10.5.x branches, plus emergency patches for EOL 11.1.x and 10.4.x. Drupal 7 is not affected. Drupal 8 and 9 will only get best-effort manual patch files. The Drupal Security Team warns working exploits may follow within hours of disclosure.