Security public service announcements | Drupal.org

Security public service announcements | Drupal.org
Skip to search
Can we use first and third party cookies and web beacons to
understand our audience, and to tailor promotions you see
Security public service announcements
Show advisories for
only Drupal core
only contributed projects
, or
all security advisories
Security-related announcements, such as information on best practices.
Normal Drupal core security window rescheduled for November 12, 2025 due to DrupalCon - PSA-2025-11-03
Date:
2025-November-03
The upcoming Drupal core
security release window
has been rescheduled from November 19, 2025 to November 12, 2025. As normal, the window will occur between 1600 UTC and 2200 UTC.
about Normal Drupal core security window rescheduled for November 12, 2025 due to DrupalCon - PSA-2025-11-03
Third-Party Libraries and Supply Chains - PSA-2025-09-17
Date:
2025-September-17
Supply-chain attack via maintainer account takeover
about Third-Party Libraries and Supply Chains - PSA-2025-09-17
Drupal 7 End of Life - PSA-2025-01-06
Date:
2025-January-06
Drupal core version 7 has reached end of life, and is no longer community supported on Drupal.org. This means that new releases of Drupal 7 core and contributed projects will no longer happen on Drupal.org and community support is no longer provided.
What this means for you:
about Drupal 7 End of Life - PSA-2025-01-06
Third-Party Libraries and Supply Chains - PSA-2024-06-26
Date:
2024-June-26
Following on from previous PSAs on third-party code in the Drupal ecosystem:
PSA-2011-002 - External libraries and plugins
Various Third-Party Vulnerabilities - PSA-2019-09-04 | Drupal.org
It is the policy of the Drupal Security Team that site owners are responsible for monitoring and maintaining the security of third-party libraries.
about Third-Party Libraries and Supply Chains - PSA-2024-06-26
Drupal 9 is end of life - PSA-2023-11-01
Date:
2023-November-01
Drupal 9 is end of life as of November 1st, 2023
Drupal 9 relies on several other software projects, including Symfony, CKEditor, and Twig. With Symfony 4's end of life, CKEditor 4's end of life, and Twig 2's end of life all coming up soon, Drupal 9 went end of life on November 1st, 2023. There will be no further releases of Drupal 9.
about Drupal 9 is end of life - PSA-2023-11-01
Last chance to adopt Drupal 7 contributed projects before they might be marked unsupported - PSA-2023-07-19
Date:
2023-July-19
Reminder: As we get ready for the
End-of-life (EOL) of Drupal 7 in January 2025
, changes are coming to the Drupal 7 ecosystem.
about Last chance to adopt Drupal 7 contributed projects before they might be marked unsupported - PSA-2023-07-19
Announcement: Drupal core issues with some risk levels may be treated as bugs in the public issue queue, not as private security issues - PSA-2023-07-12
Date:
2023-July-11
Updated 2023-07-14 to reference
PSA-2023-06-07
about Announcement: Drupal core issues with some risk levels may be treated as bugs in the public issue queue, not as private security issues - PSA-2023-07-12
End of life announcement and changes to Drupal 7 support - PSA-2023-06-07
Date:
2023-June-07
Updated 2023-07-14 to reference
PSA-2023-07-12
Drupal 7's end of life is January 5, 2025
On February 23, 2022, we announced that we would be extending the End-of-Life for Drupal 7 until at least November 1, 2023.
Today, we are officially announcing that Drupal 7 will reach its end of life on January 5, 2025.
With this final extension, the Drupal Security Team is also adjusting the level of support provided.
This will be the final extension.
about End of life announcement and changes to Drupal 7 support - PSA-2023-06-07
Updated security policy for Drupal core Composer dependencies - PSA-2022-06-20
Date:
2022-June-20
In Drupal 9.4 and higher,
drupal/core-recommended
allows patch-level vendor updates
The
drupal/core-recommended
metapackage now allows patch-level updates for Composer dependencies. This means that site owners using
drupal/core-recommended
can now install most Composer dependency security updates themselves, without needing to wait for an upstream release of Drupal core that updates the affected package.
about Updated security policy for Drupal core Composer dependencies - PSA-2022-06-20
End of Drupal 6 vendor support - PSA-2022-03-09
Date:
2022-March-09
Drupal 6 LTS vendor-provided support will end on October 22, 2022.
On February 24th, 2016, Drupal 6 was marked end-of-life (EOL). The Drupal 6 Long-Term-Support (LTS) program added more than 6 years of additional coverage for program participants and the community.
about End of Drupal 6 vendor support - PSA-2022-03-09
Pages
next ›
last »
Subscribe with RSS
In addition to the
news page and sub-tabs
, all security announcements are posted to an email list. To subscribe to email: log in, go to
your user profile page
and subscribe to the security newsletter on the
Edit » My newsletters
tab.
You can also get rss feeds for
core
contrib
, or
public service announcements
or follow
drupalsecurity@drupal.community
on Mastodon or
@drupalsecurity on Bluesky
Contacting the Security team
In order to report a security issue, or to learn more about the security team, please see the
Security team
handbook page.
Writing secure code
If you are a Drupal developer, please read the handbook section on
Writing secure code
News items
News
Planet Drupal
Social media
Sign up for Drupal news
Security advisories
Jobs
Our community
Community
Services
Training
Hosting
Contributor guide
Groups & meetups
DrupalCon
Code of conduct
Documentation
Documentation
Drupal Guide
Drupal User Guide
Developer docs
API.Drupal.org
Drupal code base
Download & Extend
Drupal core
Modules
Themes
Distributions
Governance of community
About
Web accessibility
Drupal Association
About Drupal.org
Drupal is a
registered trademark
of
Dries Buytaert