The Drupal Security Team estimates that up to 5% of Drupal sites may be vulnerable to this highly critical issue. Furthermore, a majority of Drupal sites may also be affected by the Symfony and Twig security advisories published today, so all sites should update soon. Details in the advisory above.
Drupal core - Highly critical - SQL injection - SA-CORE-2026-004
https://www.drupal.org/sa-core-2026-004
Drupal core - Highly critical - SQL injection - SA-CORE-2026-004
Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege
RE: https://mastodon.social/@fabpot/116605249165684897
Drupal-related security releases today include those referenced below. You can start updating dependencies from Symfony and doing testing steps now.
Site owners are encouraged to get their sites ready for a release of Drupal core that may affect them. Site owners should make upgrades easier (e.g. update to the most recent release available, improve deployment automation, improve automated testing) given the current security climate.
Upcoming highly critical release on May 20, 2026 - PSA-2026-05-18
https://www.drupal.org/psa-2026-05-18
Upcoming highly critical release on May 20, 2026 - PSA-2026-05-18
There will be a Drupal core security release for all supported branches on May 20, 2026, between 17:00 and 21:00 UTC. (To see this in your local timezone, refer to the Drupal Core Calendar.) The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days. Not all configurations are affected. Reserve time
Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037
https://www.drupal.org/sa-contrib-2026-037
Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037
This module enables you to export entity date fields as iCal feeds. The module doesn't sufficiently check entity or field access or sanitize user inputs when generating iCal feeds. This vulnerability is not mitigated by any permission, the routes are accessible to all anonymous users with no configuration required.
Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036
https://www.drupal.org/sa-contrib-2026-036
Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036
This module enables you to open content already on the page within a colorbox. The module doesn't sufficiently sanitize the data-colorbox-inline attribute value before passing it to jQuery, leading to a Cross-Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific
Translate Drupal with GTranslate - Less critical - DOM clobbering / link manipulation - SA-CONTRIB-2026-035
https://www.drupal.org/sa-contrib-2026-035
Translate Drupal with GTranslate - Less critical - DOM clobbering / link manipulation - SA-CONTRIB-2026-035
The GTranslate module provides a language switcher widget for Drupal sites. The module’s widget JavaScript did not sufficiently validate that document.currentScript referred to the executing script element. A user who can add HTML to a page could cause the generated language-switcher links to point to an unintended domain. This vulnerability is mitigated by the fact that an
Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034
https://www.drupal.org/sa-contrib-2026-034
Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034
Node view permissions module enables permissions "View own content" and "View any content" for each content type on permissions page The module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user. This vulnerability is mitigated by the fact that only private contents where anonymous should not have view access
Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033
https://www.drupal.org/sa-contrib-2026-033
Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033
This module enables you to obfuscate email addresses in content. The module doesn't sufficiently sanitize user input via the Twig filter. This vulnerability is mitigated by the fact that it only affects sites using the ROT13 encoding and where an attacker can enter content that is filtered using the module's Twig filter.
