Drupal Security Team

🚨 Upcoming Drupal Core Security Release 🚨 The Drupal Security Team has announced an upcoming Highly Critical security release (Risk score: 20/25). Because exploits could be developed within hours or days of disclosure, it is vital to prepare your sites. 📅 When: May 20, 2026, between 17:00 and 21:00 UTC. 🔒 Impact: all supported branches (and some end-of-life versions) of Drupal 10 and 11, as well as Drupal 8 and 9. What you need to do now: 1️⃣ Reserve time: Set aside resources on May 20 during the release window to review the advisory, check your configurations, and apply the update immediately if needed. 2️⃣ Update to the latest patch version today: The Security Team recommends updating your site to its current branch's latest patch release now:    Drupal 11.3 / 11.2 / 10.6 / 10.5: Update to the latest patch release immediately.    Drupal 11.1 / 11.0: Update to at least 11.1.9 ahead of the window.    Drupal 10.4 and older 10.x: Update to at least 10.4.9 ahead of the window.    Drupal 9 / 8: These are end-of-life, but due to the issue's severity, the team will provide manual patch files for Drupal 9.5.11 and Drupal 8.9.20. Update your legacy sites now so that the manual patches have the best chance of applying. 🛡️ If your site uses Drupal Steward, you will have immediate protection from known attack vectors, but you should still plan to upgrade shortly after the release. Don't wait until May 20 to prep your environment. Spread the word to your teams! 👉 Check the official Drupal Security page for the live advisory on May 20 (see link in first comment). #Drupal #WebSecurity #CyberSecurity #WebDevelopment #OpenSource #DevOps #TechAlert

Don't miss out! Regular registration for Drupalcon Chicago ends on February 23 (2 days) and then prices will go up. There are some great sessions at Drupalcon that will help people to manage the security of their sites: Engineering for security compliance: How to prepare before the audit AI Crawlers Are Crushing Your Website: Here's What You Can Do About It The Bug Stops Here: The State of Georgia Shifts Left Deploy with Confidence: Automated Testing for Drupal Security Team Panel And, of course, there's all the opportunity for networking and conversations. We hope to see you at any Drupal event (camp, conference, etc.) and Chicago is a great opportunity to learn more about security in Drupal.

Happy 25th anniversary of Drupal's release! A few years later on August 1, 2005, the Security Team was created (see the timeline below for more details). We celebrate everyone involved along the way and welcome new folks to support the goal of a secure Drupal.

Today is Thanksgiving in the US. While not everyone celebrates it, I want to take a moment to express my gratitude to the Drupal Security Team, a group whose work often goes unrecognized. As Drupal's project lead, the fact that I'm rarely needed in their operations is the highest compliment I can offer. Their consistent effort has protected millions of websites. For more on why their work sets a standard for open source, read my full post at https://lnkd.in/eTUXfkp9. #drupal #security #thankyou #drupalthanks

Last week we posted about Software Bill of Materials (SBOMs) and Drupal. What's your progress on generating SBOMs?

How can a Software Bill of Materials (SBOM) help improve transparency, confidence, and security of your Drupal site? Read more in this post from CivicActions https://lnkd.in/gNuBWD5E How do you create an SBOM for Drupal? There are a few ways, but you could start with a Drupal-specific SBOM module described in this article from Open SSF https://lnkd.in/dyCUMv63 Are you creating SBOMs for your projects? What tools are you using? Do you find SBOMs helpful, or is it part of compliance and "checking the box" ? What can the Drupal code or community do to better support and leverage SBOMs?