Drupal to Release Urgent Core Security Update on May 20, 2026

Drupal will release an urgent core security update for all supported branches on May 20, 2026, between 5:00 p.m. and 9:00 p.m. UTC. The Drupal Security Team has advised administrators to allocate time for immediate updates, warning that exploits may emerge within hours or days of disclosure. The alert applies to the PHP-based content management system (CMS) but does not specify affected versions or configurations. No CVE identifiers or technical details about the vulnerability were provided in the notice. The update is classified as critical, though the exact impact remains undisclosed.