Drupal Security

Project: Drupal coreDate: 2026-June-17Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Improper validationAffected versions: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.*CVE IDs: CVE-2026-55808Description: 

The JSON:API and REST modules allow you to upload image files to image fields.

The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image.

Certain web-server configurations may serve the uploaded file with its actual MIME type rather than an image type. This may lead to cross-site scripting (XSS) or other unexpected behavior.

Solution: 

Install the latest version:

Drupal 11

• If you use Drupal 11.3.x, update to Drupal 11.3.12.
• If you use Drupal 11.2.x, update to Drupal 11.2.14.

Drupal 10

• If you use Drupal 10.6.x, update to Drupal 10.6.11.
• If you use Drupal 10.5.x, update to Drupal 10.5.12.

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• cantina_security

Fixed By: 

• Björn Brala (bbrala)
• Kim Pepper (kim.pepper)
• Lee Rowlands (larowlan) of the Drupal Security Team

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Drupal coreDate: 2026-June-17Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Server-side request forgeryAffected versions: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.*CVE IDs: CVE-2026-55807Description: 

The Media module comes with support for oEmbed. The oEmbed specification contains two discovery mechanisms, via providers.json and via URL discovery.

The URL discovery code could be leveraged to trick Drupal into making server-side requests to any URL.

Solution: 

Install the latest version:

Drupal 11

• If you use Drupal 11.3.x, update to Drupal 11.3.12.
• If you use Drupal 11.2.x, update to Drupal 11.2.14.

Drupal 10

• If you use Drupal 10.6.x, update to Drupal 10.6.11.
• If you use Drupal 10.5.x, update to Drupal 10.5.12.

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Required site changes for URL discovery

Most users of the oEmbed functionality in Drupal likely use providers.json to define known providers (such as YouTube and Vimeo) for embedding content.

If you are using URL discovery, you now need to set a list of trusted oEmbed discovery hosts in settings.php.

This is an array containing a series of regular expressions for matching host names for discovery. It follows the same pattern as the existing trusted hosts settings.

Example:

// Only allow URL discovery from example.com. $settings['media_oembed_discovery_trusted_host_patterns'] = [ '^example\.com$', ]; Reported By: 

• Hamed Kohi (0xhamy)
• assaf alassaf (ama62)
• Albert Skibinski (askibinski)
• Jon Minder (ayalon)
• Lautaro Casanova (betah4k)
• Gabe Sullice (gabesullice)
• John Morahan (john morahan)
• Michael Winser (michaelwinser)
• nbanderson
• offensive-ai
• Francesco Placella (plach)
• quynh ho (qquynh)
• Himanshu Anand (unknownhad)

Fixed By: 

• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Adam G-H (phenaproxima)
• Sean Blommaert (seanb)

Coordinated By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• cilefen (cilefen) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Mori Sugimoto (dokumori) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• James Gilliland (neclimdul) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Drupal coreDate: 2026-June-17Security risk: Less critical 9 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: Cache poisoning and open redirectAffected versions: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.*CVE IDs: CVE-2026-55806Description: 

Drupal core ships a rebuild.php front controller that can be used to rebuild Drupal (clearing the caches and rebuilding the container) when the site is in an unexpected condition.

This script doesn't correctly check the Host header against the list of trusted host patterns. This could result in cache poisoning or a redirect to an attacker-controlled domain.

Solution: 

Install the latest version:

Drupal 11

• If you use Drupal 11.3.x, update to Drupal 11.3.12.
• If you use Drupal 11.2.x, update to Drupal 11.2.14.

Drupal 10

• If you use Drupal 10.6.x, update to Drupal 10.6.11.
• If you use Drupal 10.5.x, update to Drupal 10.5.12.

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• Melih Acikoz
• Michael Winser (michaelwinser)
• Willem Drupal enthousiast (willempje2)

Fixed By: 

• Lee Rowlands (larowlan) of the Drupal Security Team

Coordinated By: 

• catch (catch) of the Drupal Security Team
• cilefen (cilefen) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• James Gilliland (neclimdul) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Drupal coreDate: 2026-June-17Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Gadget chainAffected versions: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.*CVE IDs: CVE-2026-55804Description: 

Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application deserializes untrusted data due to another vulnerability.

This issue is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize().

Solution: 

Install the latest version:

Drupal 11

• If you use Drupal 11.3.x, update to Drupal 11.3.12.
• If you use Drupal 11.2.x, update to Drupal 11.2.14.

Drupal 10

• If you use Drupal 10.6.x, update to Drupal 10.6.11.
• If you use Drupal 10.5.x, update to Drupal 10.5.12.

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• Michael Maturi (michaelmaturi)

Fixed By: 

• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Mohit Aghera (mohit_aghera)

Coordinated By: 

• Anna Kalata (akalata) of the Drupal Security Team
• Benji Fisher (benjifisher) of the Drupal Security Team
• cilefen (cilefen) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Drupal coreDate: 2026-June-17Security risk: Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: PHP object injectionAffected versions: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.*CVE IDs: CVE-2026-55803Description: 

SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web services.

The above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain rare circumstances, potentially resulting in PHP Object Injection.

This vulnerability is mitigated by the fact that in order to be exploitable:

• A site must use an entity reference field type that stores a serialized property.
• An attacker must have permission to write to the entity via JSON:API.

No field type shipped with Drupal core meets these criteria, and contributed or user-created field types that do appear to be extremely unusual. This update protects all such fields; no changes are required in contributed modules.

JSON:API is read-only by default, so sites are only affected if they have enabled write access (either through administrator configuration or the installation of a contributed or custom module that enables write access).

Drupal Steward protection:

This issue is being protected by Drupal Steward. In this instance, we believe that the WAF rule will provide mitigation for the common/obvious vulnerability paths, but may not cover all cases or work for all hosting providers. Additionally, several other core security advisories released today are not mitigated by Drupal Steward. Therefore, our recommended action is still to plan an actual Drupal update within 24 hours of this release.

Solution: 

Install the latest version:

Drupal 11

• If you use Drupal 11.3.x, update to Drupal 11.3.12.
• If you use Drupal 11.2.x, update to Drupal 11.2.14.

Drupal 10

• If you use Drupal 10.6.x, update to Drupal 10.6.11.
• If you use Drupal 10.5.x, update to Drupal 10.5.12.

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• Michael Maturi (michaelmaturi)

Fixed By: 

• Björn Brala (bbrala)
• Sascha Grossenbacher (berdir)
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Coordinated By: 

• Anna Kalata (akalata) of the Drupal Security Team
• Benji Fisher (benjifisher) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• David Strauss (david strauss) of the Drupal Security Team
• Neil Drumm (drumm) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Tim Hestenes Lehnen (hestenet)
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Ra Mänd (ram4nd) provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Plotly.js GraphingDate: 2026-June-17Security risk: Critical 19 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: PHP object injectionAffected versions: <3.0.2CVE IDs: CVE-2026-55810Description: 

The Plotly.js Graphing module provides a fully customizable implementation of the open source Plotly.js graphing library.

The module stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection vulnerability when the data are unserialized.

This vulnerability is mitigated by the fact that an attacker must have permission to edit a content entity with an attached plotly_js_graph field. In addition, the core JSON:API module must be enabled with the option "Accept all JSON:API create, read, update, and delete operations", which is not the default, or the attacker needs some other way to edit field values directly.

Solution: 

Install the latest version:

• If you use the Plotly.js Graphing module for Drupal, upgrade to plotly_js-3.0.2.

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Stephen Mustgrave (smustgrave)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Flag attendance fieldDate: 2026-June-17Security risk: Critical 19 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: PHP object injectionAffected versions: <1.2CVE IDs: CVE-2026-55809Description: 

The Flag attendance field module gives you the ability to add attendance by depending on Flag module.

flag_attendance_field stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection vulnerability when the data are unserialized.

This vulnerability is mitigated by the fact that an attacker must have permission to edit a content entity with an attached flag_attendance_field field. In addition, the core JSON:API module must be enabled with the option "Accept all JSON:API create, read, update, and delete operations", which is not the default, or the attacker needs some other way to edit field values directly.

Solution: 

Install the latest version:

• If you use the Flag attendance field module for Drupal, upgrade to Flag attendance field 8.x-1.2.

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Anas Mawlawi (anas_maw)
• Benji Fisher (benjifisher) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Coordinated By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Formatter FieldDate: 2026-June-17Security risk: Critical 19 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: PHP object injectionAffected versions: <2.0.0CVE IDs: CVE-2026-12535Description: 

The Formatter Field module provides a mechanism for specifying a formatter and formatter settings to be used for displaying a field, on a per-entity basis.

formatter_field stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an Object Injection vulnerability when the data are unserialized.

This vulnerability is mitigated by the fact that an attacker must have permission to edit a content entity with an attached formatter_field field. In addition, the core JSON:API module must be enabled with the option "Accept all JSON:API create, read, update, and delete operations", which is not the default, or the attacker needs some other way to edit field values directly.

Solution: 

Install the latest version:

• If you use the Formatter Field module, upgrade to Formatter Field 2.0.0.

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Kostia Bohach (_shy)

Coordinated By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Brute force attack protectionDate: 2026-June-10Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2026-11915Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: ComposerDate: 2026-June-10Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2026-11914Description: 

The security team is marking the Composer module for Drupal project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Note: this is about a project for the Drupal system that makes use of composer. It is not a vulnerability in the composer software itself.

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Mother May IDate: 2026-June-10Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2026-11913Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Examples for DevelopersDate: 2026-June-10Security risk: Moderately critical 11 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <4.0.6CVE IDs: CVE-2026-11909Description: 

The Examples for Developers project aims to provide high-quality, well-documented API examples for a broad range of Drupal core functionality.

The "Read from a file" feature implemented by the file_example submodule can be used to expose any file that PHP can access. Therefore, the file_example sub-module is being removed from Examples for Developers until a version demonstrating file security best practices can be added back in the future. Developers who based a new module on this example should review their code for an access bypass.

Solution: 

Any site with the file_example submodule installed should uninstall it immediately. Then, install the latest version of Examples for Developers:

• If you are using Examples for Developers 4.0.x, upgrade to Examples for Developers 4.0.6. Developers who based a new module on this example should review their code for an access bypass.

Reported By: 

• Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By: 

• Alberto Paderno (avpaderno)
• Pierre Rudloff (prudloff) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: TagifyDate: 2026-June-10Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scripting (XSS)Affected versions: <1.2.52CVE IDs: CVE-2026-11908Description: 

This module integrates the Tagify JavaScript library to enhance entity reference selection in entity reference widgets.

The module does not properly sanitise the name of parent taxonomy terms when rendering suggestions in the Tagify dropdown. This results in a cross-site scripting vulnerability that may allow attackers to execute arbitrary JavaScript in the context of the user’s session.

The vulnerability is mitigated by the fact an attacker must have a role with permission to create or edit taxonomy terms in a vocabulary.

Solution: 

Install the latest version of the Tagify module that includes a fix for sanitising parent term names in the Tagify dropdown rendering.

• If you use the Tagify module for Drupal, upgrade to tagify 1.2.52.

More information will be provided in the project release notes once the fixed version is published.

Reported By: 

• Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By: 

• David Galeano (gxleano)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Pierre Rudloff (prudloff) of the Drupal Security Team

Project: Anti-Spam by CleanTalkDate: 2026-June-03Security risk: Moderately critical 10 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingAffected versions: <9.7.1CVE IDs: CVE-2026-10770Description: 

This module provides spam protection using the CleanTalk cloud service.

The module doesn't sufficiently sanitize API response messages before rendering them in HTML output. The _cleantalk_die() and ct_die() functions output the CleanTalk API response message directly into HTML without proper sanitization, allowing potential injection of arbitrary HTML or JavaScript.

This vulnerability is mitigated by the fact that an attacker must be able to influence the CleanTalk cloud API response (e.g., through a man-in-the-middle attack or a compromised API server).

Solution: 

Install the latest version:

• If you use the Anti-Spam by CleanTalk module for Drupal upgrade to Anti-Spam by CleanTalk 9.7.1

Reported By: 

• Ra Mänd (ram4nd) provisional member of the Drupal Security Team

Fixed By: 

• alexandergull
• anton1211
• Ra Mänd (ram4nd) provisional member of the Drupal Security Team

Coordinated By: 

• Neil Drumm (drumm) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Commerce CoreDate: 2026-June-03Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingAffected versions: >= 3.3.0 < 3.3.6CVE IDs: CVE-2026-10769Description: 

The module doesn't sufficiently sanitize customer comments in the order receipt email template; this could be exploited to achieve Cross-site Scripting (XSS).

This vulnerability is mitigated by the fact that it only affects installations with Checkout (commerce_checkout) enabled, and the "Comments" checkout pane (id: customer_comments) is explicitly used, which is disabled by default.

Solution: 

Install the latest version:

• If you use Commerce Core 3.3.x, upgrade to Commerce Core 3.3.6

Reported By: 

• Brian Willows (hsjbrianwillows)

Fixed By: 

• Jonathan Sacksick (jsacksick)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: TacJSDate: 2026-June-03Security risk: Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Improper Access ControlAffected versions: <6.8CVE IDs:  CVE-2026-49977 Description: 

This module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn't sufficiently filter user-supplied markup inside of content leading to an attacker being able to delete arbitrary cookies.

This vulnerability is mitigated by the fact that an attacker needs to be able to insert specific data attributes in the page.

For additional information, see the Github Security Advisory GHSA-jxj7-g6gm-49j7 for the tarteaucitron.js library.

Solution: 

Install the latest version:

• If you use tacjs 8.x-6.x, upgrade to tacjs 8.x-6.8

Reported By: 

• Frank Mably (mably)
• Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By: 

• Pierre Rudloff (prudloff) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Pierre Rudloff (prudloff) of the Drupal Security Team

Project: LocalGov WorkflowsDate: 2026-June-03Security risk: Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information disclosureAffected versions: <1.6.0CVE IDs: CVE-2026-10768Description: 

This module configures default editorial workflows for LocalGov Drupal content types. It provides a Drupal content moderation workflow, a content approvals dashboard, content scheduling and content preview.

The module doesn't sufficiently restrict access to a view of Service Contacts at which exposes the names and content items assigned to each Service Contact.

Solution: 

Install the latest version:

• If you use the LocalGov Workflows module for Drupal, upgrade to LocalGov Workflows 1.6.0

Reported By: 

• Maria Young (maria.y)

Fixed By: 

• Finn Lewis (finn lewis)
• Rupert Jabelman (rupertj)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Drupal AlternativeCommerce (Basket)Date: 2026-May-27Security risk: Highly critical 22 ∕ 25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionAffected versions: <2.1.17CVE IDs: CVE-2026-9726Description: 

The Basket module enables e-commerce and checkout functionality for Drupal sites.

The module does not sufficiently sanitize user-supplied data before passing it to PHP's unserialize().

An attacker can supply a crafted payload and trigger PHP Object Injection. If a viable gadget chain exists in the site codebase or installed dependencies, this can result in arbitrary PHP code execution.

Solution: 

Install the latest version:

• If you use the Basket module, upgrade to Basket 2.1.17.

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Helena Zajika (helena zajika)
• Drew Webber (mcdruid) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: Drupal coreDate: 2026-May-20Security risk: Highly critical 23 ∕ 25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:UncommonVulnerability: SQL injectionAffected versions: >= 8.9.0 < 10.4.10 || >= 10.5.0 < 10.5.10 || >= 10.6.0 < 10.6.9 || >= 11.0.0 < 11.1.10 || >= 11.2.0 < 11.2.12 || >= 11.3.0 < 11.3.10CVE IDs: CVE-2026-9082Description: 

Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.

This vulnerability can be exploited by anonymous users.

This SQL injection vulnerability only affects sites using PostgreSQL. However, the third-party dependency updates in these releases apply to all sites.

Updates

May 22 2026, 04:30 UTC: The risk score has been updated to reflect that exploit attempts are now being detected in the wild.

Upstream security advisories

The Drupal releases for supported branches (11.3, 11.2, 10.6, and 10.5) in this advisory also include security updates for Symfony and Twig. Those projects have released important Security Advisories that were coordinated with this Drupal release, and Drupal is affected by some of the vulnerabilities.

Depending on your site configuration and contrib modules, you may be vulnerable to one or more of these upstream issues, so updating these dependencies is highly recommended whether the SQL Injection vulnerability affects you or not. It is also recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules.

Solution: 

Install the latest version.

Drupal 11

• If you use Drupal 11.3.x, update to Drupal 11.3.10.
• If you use Drupal 11.2.x, update to Drupal 11.2.12.
• If you use Drupal 11.1.x or 11.0.x, update to Drupal 11.1.10.

Drupal 10

• If you use Drupal 10.6.x, update to Drupal 10.6.9.
• If you use Drupal 10.5.x, update to Drupal 10.5.10.
• If you use Drupal 10.4.x or earlier, update to Drupal 10.4.10.

Drupal 9 and 8

• If you use any version of Drupal 9, try manually applying the Drupal 9.5 patch for this issue.
• If you use Drupal 8.9, try manually applying the Drupal 8.9 patch for this issue.

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.) Due to this issue's severity, the unsupported releases and patches for unsupported versions are provided as a best effort. Those unsupported versions will still have other, previously disclosed security vulnerabilities.

Reported By: 

• Michael Maturi (michaelmaturi)

Fixed By: 

• Björn Brala (bbrala)
• Benji Fisher (benjifisher) of the Drupal Security Team
• catch (catch) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Coordinated By: 

• Anna Kalata (akalata) of the Drupal Security Team
• Benji Fisher (benjifisher) of the Drupal Security Team
• catch (catch) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Neil Drumm (drumm) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Heine Deelstra (heine) of the Drupal Security Team
• Tim Hestenes Lehnen (hestenet)
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) of the Drupal Security Team
• quietone (quietone)
• Jess (xjm) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Date: 2026-May-18Security risk: Highly critical 20 ∕ 25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:UncommonDescription: 

There will be a Drupal core security release for all supported branches on May 20, 2026, between 17:00 and 21:00 UTC. (To see this in your local timezone, refer to the Drupal Core Calendar.) The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days.

Not all configurations are affected. Reserve time on May 20 during the release window to determine whether your sites are affected and in need of an immediate update. Mitigation information will be included in the advisory.

We recommend updating to the latest supported patch (bugfix) release for your site's version of Drupal before May 20, so that you can address any other upgrade issues before the security window. (Recommendations for specific Drupal versions follow.)

This issue is being protected by Drupal Steward. Sites that use Drupal Steward are already protected from known attack vectors, but should upgrade in the near future in case additional attack vectors are discovered.

Affected versions Supported core versions

Security releases will be provided for all the currently supported branches of Drupal core, which are:

• 11.3.x
• 11.2.x
• 10.6.x
• 10.5.x

Sites on one of these supported versions should update to the latest patch release for the given branch now in preparation for the security window.

End-of-life minor core versions (Drupal 10 and 11)

While the Drupal Security Team does not normally provide security releases for unsupported releases, given the severity of the issue, we are providing 11.1.x and 10.4.x releases that include the fix for sites which have not yet had a chance to update. Therefore, in advance of the window:

• Sites on Drupal 11.1 or 11.0 should update to at least Drupal 11.1.9.
• Sites on Drupal 10.4, 10.3, 10.2, 10.1, or 10.0 should update to at least Drupal 10.4.9.

These sites should apply the security update as soon as it is released on May 20, then plan to update to Drupal 11.3 or 10.6 in the near future. (Two other recent security advisories, SA-CORE-2026-001 and SA-CORE-2026-002, will not be addressed for 11.1 or 10.4.)

End-of-life major core versions (Drupal 8 and 9)

These major versions are fully end-of-life, so no releases will be created for these branches. However, given the potential severity of this issue, we will provide patch files for Drupal 8.9 and 9.5.

These patches must be applied manually. They are not guaranteed to work correctly, and might introduce other bugs or regressions. However, they may help mitigate the vulnerability for sites still on these old major versions until they upgrade to a supported release.

For the best chance of the patches being applied successfully:

• Sites on any version of Drupal 9 should update to Drupal 9.5.11.
• Sites on any version of Drupal 8 should update to Drupal 8.9.20.

We strongly recommend Drupal 8 or 9 sites update to at least Drupal 10.6 soon. Drupal 8 and 9 include numerous other, previously disclosed, security vulnerabilities that will not be addressed by either Drupal Steward or the best-effort patch files.

Drupal 7 is not affected.

Disclosure policy

Neither the Security Team nor any other party is able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.drupal.org/security, on Bluesky, Mastodon, X (formerly Twitter), and LinkedIn, and in email for those who have subscribed to our email list. To subscribe to the email list: log in on Drupal.org, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.

Security release announcements will appear on the Drupal.org security advisory page which also has RSS feeds.

Coordinated By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• catch (catch) of the Drupal Security Team
• cilefen (cilefen) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Neil Drumm (drumm) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Tim Hestenes Lehnen (hestenet)
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team