Drupal has released an emergency core security update to address a critical, undisclosed vulnerability for which exploits are expected shortly after the patch release. The update affects all supported branches, specifically versions 11.3.x, 11.2.x, 10.6.x, and 10.5.x, with best-effort patches for end-of-life versions 11.1.x and 10.4.x. Site administrators must apply the patches immediately upon release on May 20, 2026, and organizations on unsupported Drupal 8 or 9 must upgrade to at least Drupal 10.6.
Vulnerability Management Drupal releases emergency security update amid exploit concerns May 20, 2026 Share By SC Staff The Drupal project is issuing an emergency core security update for all supported branches on May 20, between 5 and 9 p.m. UTC, due to a critical vulnerability. The Drupal Security Team has issued an advisory urging site administrators to reserve time for updates, warning that exploits could be developed within hours or days of the release, with further coverage provided by Security Affairs. While the specific type of vulnerability has not been disclosed, the urgency of the advisory suggests a serious flaw with a potentially short window between patch release and active exploitation. Drupal powers a significant portion of the web, including government sites, universities, and enterprise portals. Patches will be available for supported branches: 11.3.x, 11.2.x, 10.6.x, and 10.5.x. Best-effort patches will also be provided for end-of-life minor versions 11.1.x and 10.4.x. Organizations running unsupported Drupal 8 and 9 versions are strongly advised to upgrade to at least Drupal 10.6 soon, as these older versions contain numerous unaddressed security vulnerabilities and will not receive updates for this critical flaw. Source: Security Affairs SC Staff Related Vulnerability Management Max-severity vulnerability in ChromaDB allows unauthenticated remote code execution SC Staff May 20, 2026 The vulnerability affects the Python API server logic within the PyPI package, which sees nearly 14 million monthly downloads. Patch/Configuration Management Microsoft addresses Windows Update failures in restricted environments SC Staff May 20, 2026 The failures occur in environments with strict network limitations, including air-gapped systems and heavily firewalled networks. Vulnerability Management Universal Robots patches critical 9.8 flaw in ‘cobots’ OS Steve Zurier May 19, 2026 Critical flaw in Universal Robots cobots could let attackers hijack production systems remotely. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds