Drupal is warning customers that it’s getting ready a patch for a ‘extremely crucial’ vulnerability which may be exploited by menace actors shortly after its disclosure.
In a discover posted this week, the builders of the open supply content material administration system (CMS) that powers a whole bunch of 1000’s of internet sites mentioned patches will probably be launched for all supported variations on Could 20, between 17:00 and 21:00 UTC.
“Reserve time on Could 20 in the course of the launch window to find out whether or not your websites are affected and in want of an instantaneous replace. Mitigation data will probably be included within the advisory,” Drupal builders mentioned.
They consider an exploit for the vulnerability “would possibly” be created inside hours or days of disclosure.
“Neither the Safety Group nor another occasion is ready to launch any extra details about this vulnerability till the announcement is made,” the builders famous.
Patches will probably be launched for Drupal variations 11.3.x, 11.2.x, 10.6.x and 10.5.x.
Vulnerabilities are commonly patched in Drupal, with 40 points patched thus far in 2026. Nevertheless, few of them are crucial, and there hasn’t been a ‘extremely crucial’ flaw in years.
As well as, there haven’t been any stories of latest Drupal vulnerabilities being exploited within the wild since 2019. Within the years main as much as 2019, a number of vulnerabilities have been exploited, together with these dubbed Drupalgeddon and Drupalgeddon2, which have been used to hack many web sites.
Associated: Microsoft Warns of Alternate Server Zero-Day Exploited within the Wild
Associated: Cisco Patches One other SD-WAN Zero-Day, the Sixth Exploited in 2026
Associated: New ‘Soiled Frag’ Linux Vulnerability Presumably Exploited in Assaults
