DRUPAL has issued an alert that it intends to release a core security update for all supported branches on 20 May 2026, from 5–9 p.m. UTC. According to Drupal Security Team, exploits might be developed within hours or days, so site operators are urged to reserve time for the update window and determine whether their sites are affected.
Patches are expected for the following supported Drupal core branches: 11.3.x, 11.2.x, 10.6.x, and 10.5.x, with sites on those versions advised to update to the latest patch release now in preparation for the security window. For sites on older major versions, such as Drupal 8 and 9, patch files for 8.9 and 9.5 will need to be applied manually, though there is no guarantee the fixes will work perfectly and they may cause regressions.
The article notes that Drupal 7 is not affected, and provides specific upgrade guidance: sites on 11.1 or 11.0 should move to at least 11.1.9, while those on 10.4, 10.3, 10.2, 10.1, or 10.0 should upgrade to at least 10.4.9. After applying the security update, Drupal recommends upgrading to Drupal 11.3 or 10.6 in the near future.