**Drupal** has announced a "core security release" scheduled for later today, warning that threat actors might develop exploits within hours of the update disclosure. ### Urgent Update Required Administrators are urged to reserve time for core updates on May 20 between 17:00 and 21:00 UTC. Website administrators running versions 8 or 9 are strongly recommended to upgrade to at least version 10.6. The **Drupal** content management system (CMS) is widely used by large organizations, including those in government, education, and healthcare sectors. ### Affected Versions and Patches According to the [public service announcement](https://www.drupal.org/psa-2026-05-18), the vulnerability affects **Drupal** core versions 8 and later. Security updates will be available for the following versions: * Drupal 11.3.x * Drupal 11.2.x * Drupal 11.1x * Drupal 10.6.x * Drupal 10.5.x * Drupal 10.4x **Drupal** notes that, although versions 11.1x and 10.4x are no longer supported, fixes will still be provided for them due to the severity of the security issue; administrators should update to **Drupal** 11.1.9 and 10.4.9. **Drupal** 8 and 9, which have reached end-of-life, will receive no patches, but hotfix files will be published for versions 9.5 and 8.9, allowing remediation for those running versions 9.5.11 or 8.9.20. Sites using **Drupal** Steward are already protected against known attack vectors. An update is still recommended, though. ### Limited Disclosure and Caution No technical details about the vulnerability were disclosed, and **Drupal** warns that any information appearing online could be fraudulent. Admins are advised to exercise caution. “Neither the Security Team nor any other party is able to release any more information about this vulnerability until the announcement is made,” warned **Drupal**. **Drupal** website administrators should continue to monitor the platform’s official security portal throughout the day for more information and prepare to apply the security update as soon as it’s made available.