Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: highly-critical (1 article)Clear

Drupal shipping highly critical core security update today (May 20, 17:00-21:00 UTC) - PSA-2026-05-18, severity 20/25, unauthenticated

Drupal is releasing an emergency core security update on May 20 between 17:00 and 21:00 UTC. Pre-disclosure advisory PSA-2026-05-18 rates the issue 'highly critical' (20 of 25 on Drupal's scoring) and notes access complexity 'None' and authentication 'None' - meaning the underlying flaw is unauthenticated and easy to trigger. Patches will land for the supported 11.3.x, 11.2.x, 10.6.x, and 10.5.x branches, plus emergency patches for EOL 11.1.x and 10.4.x. Drupal 7 is not affected. Drupal 8 and 9 will only get best-effort manual patch files. The Drupal Security Team warns working exploits may follow within hours of disclosure.

Check
Inventory all Drupal sites and their exact versions. Flag any site on Drupal 8 or 9 since these need manual best-effort patches and a planned upgrade.
Affected
All supported Drupal core 11.x and 10.x; pre-patched 11.1.x and 10.4.x EOL branches available; Drupal 8/9 best-effort only. Drupal 7 is not affected.
Fix
Pre-upgrade to 11.1.9 or 10.4.9 today before the security release lands. Apply the patch the moment it ships and plan an upgrade to 11.3 or 10.6 within the next quarter.