Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Drupal to Patch Highly Critical Vulnerability at Risk of Quick Exploitation

Drupal says attackers may develop an exploit for the vulnerability within hours or days.

Vulnerability

Drupal is warning users that it’s preparing a patch for a ‘highly critical’ vulnerability that may be exploited by threat actors shortly after its disclosure.

In a notice posted this week, the developers of the open source content management system (CMS) that powers hundreds of thousands of websites said patches will be released for all supported versions on May 20, between 17:00 and 21:00 UTC.

“Reserve time on May 20 during the release window to determine whether your sites are affected and in need of an immediate update. Mitigation information will be included in the advisory,” Drupal developers said.

They believe an exploit for the vulnerability “might” be created within hours or days of disclosure.

“Neither the Security Team nor any other party is able to release any more information about this vulnerability until the announcement is made,” the developers noted.

Patches will be released for Drupal versions 11.3.x, 11.2.x, 10.6.x and 10.5.x. 

Advertisement. Scroll to continue reading.

Vulnerabilities are regularly patched in Drupal, with 40 issues patched to date in 2026. However, few of them are critical, and there hasn’t been a ‘highly critical’ flaw in years.

In addition, there haven’t been any reports of new Drupal vulnerabilities being exploited in the wild since 2019. In the years leading up to 2019, several vulnerabilities were exploited, including those dubbed Drupalgeddon and Drupalgeddon2, which were used to hack many websites.

Related: Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild

Related: Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited in 2026

Related: New ‘Dirty Frag’ Linux Vulnerability Possibly Exploited in Attacks

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.