DRUPAL is pushing a core security update on May 20, with the Drupal Security Team urging site administrators to block out time between 5 and 9 p.m. UTC for the release window. The vulnerability type has not been disclosed ahead of the coordinated release, and patches will be made available for four currently supported branches: 11.3.x, 11.2.x, 10.6.x and 10.5.x.
The advisory notes that not all configurations are affected and suggests upgrading to the latest patch release for each branch to apply the fix cleanly when it drops. For end-of-life minor versions, best‑effort patch releases will be provided for 11.1.x and 10.4.x, with recommendations to move from Drupal 8 or 9 to at least 10.6 soon. Manual patch files for Drupal 8.9 and 9.5 will be available, though there is no guarantee they will apply cleanly.
According to The Drupal Security Team advisory, the window between patch release and active exploitation could be very short, and organisations should prepare to deploy the update promptly.