DRUPAL has announced it is preparing a patch for a “highly critical” vulnerability that security researchers fear could be exploited within hours or days of disclosure. According to SecurityWeek, patches will be released for all supported Drupal versions on May 20, between 17:00 and 21:00 UTC, with site operators urged to reserve time on that window to assess impact and apply updates. The vulnerability affects Drupal 11.3.x, 11.2.x, 10.6.x and 10.5.x, and mitigation details will be included in the advisory.
Drupal notes that an exploit “might” be created shortly after disclosure, and that no further information about the flaw will be released until the official announcement. The publication also notes that, historically, there have not been reports of new Drupal vulnerabilities exploited in the wild since 2019, though earlier flaws such as Drupalgeddon and Drupalgeddon2 were previously used to compromise websites. Patches are part of Drupal’s regular vulnerability management, with 40 issues patched so far in 2026.