Show advisories for only Drupal core, only contributed projects, or all security advisories

Security-related announcements, such as information on best practices.

Upcoming highly critical release on May 20, 2026 - PSA-2026年05月18日

Date:
2026-May-18

There will be a Drupal core security release for all supported branches on May 20, 2026, between 17:00 and 21:00 UTC. (To see this in your local timezone, refer to the Drupal Core Calendar.) The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days.

Not all configurations are affected. Reserve time on May 20 during the release window to determine whether your sites are affected and in need of an immediate update. Mitigation information will be included in the advisory.

We recommend updating to the latest supported patch (bugfix) release for your site's version of Drupal before May 20, so that you can address any other upgrade issues before the security window. (Recommendations for specific Drupal versions follow.)

This issue is being protected by Drupal Steward. Sites that use Drupal Steward are already protected from known attack vectors, but should upgrade in the near future in case additional attack vectors are discovered.

Normal Drupal core security window rescheduled for November 12, 2025 due to DrupalCon - PSA-2025年11月03日

Date:
2025-November-03

The upcoming Drupal core security release window has been rescheduled from November 19, 2025 to November 12, 2025. As normal, the window will occur between 1600 UTC and 2200 UTC.

Drupal 7 End of Life - PSA-2025年01月06日

Date:
2025-January-06

Drupal core version 7 has reached end of life, and is no longer community supported on Drupal.org. This means that new releases of Drupal 7 core and contributed projects will no longer happen on Drupal.org and community support is no longer provided.

What this means for you:

Third-Party Libraries and Supply Chains - PSA-2024年06月26日

Date:
2024-June-26

Following on from previous PSAs on third-party code in the Drupal ecosystem:

It is the policy of the Drupal Security Team that site owners are responsible for monitoring and maintaining the security of third-party libraries.

Drupal 9 is end of life - PSA-2023年11月01日

Date:
2023-November-01

Drupal 9 is end of life as of November 1st, 2023

Drupal 9 relies on several other software projects, including Symfony, CKEditor, and Twig. With Symfony 4's end of life, CKEditor 4's end of life, and Twig 2's end of life all coming up soon, Drupal 9 went end of life on November 1st, 2023. There will be no further releases of Drupal 9.

End of life announcement and changes to Drupal 7 support - PSA-2023年06月07日

Date:
2023-June-07

Updated 2023年07月14日 to reference PSA-2023年07月12日.

Drupal 7's end of life is January 5, 2025

On February 23, 2022, we announced that we would be extending the End-of-Life for Drupal 7 until at least November 1, 2023.

Today, we are officially announcing that Drupal 7 will reach its end of life on January 5, 2025.

With this final extension, the Drupal Security Team is also adjusting the level of support provided.

This will be the final extension.

Updated security policy for Drupal core Composer dependencies - PSA-2022年06月20日

Date:
2022-June-20

In Drupal 9.4 and higher, drupal/core-recommended allows patch-level vendor updates

The drupal/core-recommended metapackage now allows patch-level updates for Composer dependencies. This means that site owners using drupal/core-recommended can now install most Composer dependency security updates themselves, without needing to wait for an upstream release of Drupal core that updates the affected package.

Pages