Drupal is preparing to release patches for a highly critical vulnerability affecting several supported versions (11.3.x, 11.2.x, 10.6.x, and 10.5.x) on May 20, 2026. The vulnerability is considered at high risk of exploitation shortly after disclosure, with the Drupal security team indicating that an exploit might be developed within hours or days. No further technical details or indicators have been disclosed prior to the patch release. This vulnerability is notable as Drupal has not had a highly critical flaw in years, and no recent exploitation has been reported since 2019. Users should plan to update their Drupal installations promptly once patches are available.

The vulnerability is rated highly critical by Drupal developers, implying that successful exploitation could lead to severe consequences for affected websites. The risk of rapid exploitation shortly after patch release increases the urgency for timely updates. However, as of the information provided, no active exploitation has been observed in the wild. The impact is potentially significant given Drupal's widespread use in web content management, but specific impact details are not disclosed.

Drupal has scheduled official patches for the affected versions to be released on May 20, 2026, between 17:00 and 21:00 UTC. Users should reserve time during this window to determine if their sites are affected and apply the updates immediately. No additional mitigation steps or workarounds have been provided prior to the patch release. Organizations should monitor the official Drupal advisory for detailed mitigation instructions and apply the official fixes as soon as they become available.