Drupal is warning users that it’s preparing a patch for a ‘highly critical’ vulnerability that may be exploited by threat actors shortly after its disclosure.
In a notice posted this week, the developers of the open source content management system (CMS) that powers hundreds of thousands of websites said patches will be released for all supported versions on May 20, between 17:00 and 21:00 UTC.
“Reserve time on May 20 during the release window to determine whether your sites are affected and in need of an immediate update. Mitigation information will be included in the advisory,” Drupal developers said.
They believe an exploit for the vulnerability “might” be created within hours or days of disclosure.
“Neither the Security Team nor any other party is able to release any more information about this vulnerability until the announcement is made,” the developers noted.
Patches will be released for Drupal versions 11.3.x, 11.2.x, 10.6.x and 10.5.x.
Vulnerabilities are regularly patched in Drupal, with 40 issues patched to date in 2026. However, few of them are critical, and there hasn’t been a ‘highly critical’ flaw in years.
In addition, there haven’t been any reports of new Drupal vulnerabilities being exploited in the wild since 2019. In the years leading up to 2019, several vulnerabilities were exploited, including those dubbed Drupalgeddon and Drupalgeddon2, which were used to hack many websites.
Related: Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild
Related: Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited in 2026
Related: New ‘Dirty Frag’ Linux Vulnerability Possibly Exploited in Attacks
