Show advisories for only Drupal core, only contributed projects, or all security advisories

Security-related announcements, such as information on best practices.

Normal Drupal core security window rescheduled for November 12, 2025 due to DrupalCon - PSA-2025-11-03

Date: 
2025-November-03

The upcoming Drupal core security release window has been rescheduled from November 19, 2025 to November 12, 2025. As normal, the window will occur between 1600 UTC and 2200 UTC.

Third-Party Libraries and Supply Chains - PSA-2025-09-17

Date: 
2025-September-17

Supply-chain attack via maintainer account takeover

Drupal 7 End of Life - PSA-2025-01-06

Date: 
2025-January-06

Drupal core version 7 has reached end of life, and is no longer community supported on Drupal.org. This means that new releases of Drupal 7 core and contributed projects will no longer happen on Drupal.org and community support is no longer provided.

What this means for you:

Third-Party Libraries and Supply Chains - PSA-2024-06-26

Date: 
2024-June-26

Following on from previous PSAs on third-party code in the Drupal ecosystem:

It is the policy of the Drupal Security Team that site owners are responsible for monitoring and maintaining the security of third-party libraries.

Drupal 9 is end of life - PSA-2023-11-01

Date: 
2023-November-01

Drupal 9 is end of life as of November 1st, 2023

Drupal 9 relies on several other software projects, including Symfony, CKEditor, and Twig. With Symfony 4's end of life, CKEditor 4's end of life, and Twig 2's end of life all coming up soon, Drupal 9 went end of life on November 1st, 2023. There will be no further releases of Drupal 9.

Last chance to adopt Drupal 7 contributed projects before they might be marked unsupported - PSA-2023-07-19

Date: 
2023-July-19

Reminder: As we get ready for the End-of-life (EOL) of Drupal 7 in January 2025, changes are coming to the Drupal 7 ecosystem.

Announcement: Drupal core issues with some risk levels may be treated as bugs in the public issue queue, not as private security issues - PSA-2023-07-12

Date: 
2023-July-11

Updated 2023-07-14 to reference PSA-2023-06-07.

End of life announcement and changes to Drupal 7 support - PSA-2023-06-07

Date: 
2023-June-07

Updated 2023-07-14 to reference PSA-2023-07-12.

Drupal 7's end of life is January 5, 2025

On February 23, 2022, we announced that we would be extending the End-of-Life for Drupal 7 until at least November 1, 2023.

Today, we are officially announcing that Drupal 7 will reach its end of life on January 5, 2025.

With this final extension, the Drupal Security Team is also adjusting the level of support provided.

This will be the final extension.

Updated security policy for Drupal core Composer dependencies - PSA-2022-06-20

Date: 
2022-June-20

In Drupal 9.4 and higher, drupal/core-recommended allows patch-level vendor updates

The drupal/core-recommended metapackage now allows patch-level updates for Composer dependencies. This means that site owners using drupal/core-recommended can now install most Composer dependency security updates themselves, without needing to wait for an upstream release of Drupal core that updates the affected package.

End of Drupal 6 vendor support - PSA-2022-03-09

Date: 
2022-March-09

Drupal 6 LTS vendor-provided support will end on October 22, 2022.

On February 24th, 2016, Drupal 6 was marked end-of-life (EOL). The Drupal 6 Long-Term-Support (LTS) program added more than 6 years of additional coverage for program participants and the community.

Pages

Subscribe with RSS Subscribe to Security public service announcements