This is a maintenance minor release of Drupal 10 and is ready for use on production sites. Maintenance minors are recommended for sites that prefer the minimum changes between releases. Learn more about the Drupal core release cycle.
This is a maintenance minor release of Drupal 10 and is ready for use on production sites. Maintenance minors are recommended for sites that prefer the minimum changes between releases. Learn more about the Drupal core release cycle.
This is a release candidate for the next minor version (feature release) of Drupal 11. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.
This is a release candidate for the next maintenance minor release of Drupal 10. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.
This is a release candidate for the next minor version (feature release) of Drupal 11. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.
This is a beta release for the next maintenance minor release of Drupal 10. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Beta releases are not recommended for non-technical users, nor for production websites. More information on beta releases..
This is a beta release for the next minor (feature) release of Drupal 11. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Beta releases are not recommended for non-technical users, nor for production websites. More information on beta releases.
SA-CORE-2025-005 removes a feature of an underlying library where request attributes can be manipulated. It is possible that some sites are actually relying on this feature. In this case, the behavior can be replicated by implementing a custom stack middleware to alter the incoming request.
This release updates minimum versions of Symfony Framework libraries. The updated libraries include a fix for CVE-2025-64500. Drupal does not expose this vulnerability, but the update is included as a hardening for other applications that may extend the library directly.
SA-CORE-2025-005 removes a feature of an underlying library where request attributes can be manipulated. It is possible that some sites are actually relying on this feature. In this case, the behavior can be replicated by implementing a custom stack middleware to alter the incoming request.
Symfony Framework released CVE-2025-64500 today. Drupal core does not expose this vulnerability.
Drupal 11.1 has Symfony 7.2 as minimum version, which is no longer supported by Symfony as of this month (November 2025). Since Drupal is not affected by the Symfony security vulnerability, we are not raising the minimum Symfony version for Drupal 11.1. Sites can update to Symfony 7.3 via Composer if needed, or update to Drupal 11.2. Sites should also aim to update to Drupal 11.2 or higher before Drupal 11.1 reaches its end-of-life in December.
SA-CORE-2025-005 removes a feature of an underlying library where request attributes can be manipulated. It is possible that some sites are actually relying on this feature. In this case, the behavior can be replicated by implementing a custom stack middleware to alter the incoming request.
This release updates minimum versions of Symfony Framework libraries. The updated libraries include a fix for CVE-2025-64500. Drupal does not expose this vulnerability, but the update is included as a hardening for other applications that may extend the library directly.
Drupal 11.2.x will receive security coverage until June 2026.
This release fixes a regression in Drupal 11.2.6 which caused an unintended backwards compatibility break with the webform module. There are no other changes compared to 11.2.6.
This is an alpha release for the next minor (feature) release of Drupal 11. Alphas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Alpha releases are not recommended for non-technical users, nor for production websites. More information on alpha releases.
This is a maintenance minor release of Drupal 10 and is ready for use on production sites. Maintenance minors are recommended for sites that prefer the minimum changes between releases. Learn more about the Drupal core release cycle.
This is a release candidate for the next minor version (feature release) of Drupal 11. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.
This is a release candidate for the next maintenance minor version of Drupal 10. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.
This is a release candidate for the next minor version (feature release) of Drupal 11. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.
This is a beta release for the next maintenance minor release of Drupal 10. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Beta releases are not recommended for non-technical users, nor for production websites. More information on alpha releases.
This is a beta release for the next minor (feature) release of Drupal 11. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Beta releases are not recommended for non-technical users, nor for production websites. More information on beta releases.
