Drupal released a “highly critical” core security patch this morning, 21 May 2026 AEST. The Drupal Security Team is warning that working exploits could appear within hours or days, as covered by The Hacker News and detailed in PSA-2026-05-18. If you work in a not-for-profit, there’s a fair chance this affects you — whether or not you know it.

Drupal punches well above its weight in the Australian NFP world. It’s free, flexible, and good at handling membership, donations and grant content — so a lot of organisations landed on it five or ten years ago and never moved. The catch is the people who built and maintained those sites often aren’t on the payroll anymore. A pre-authentication remote code execution flaw against an unmaintained website is close to an ideal breach vector — public, internet-facing, and frequently connected to donor or member databases that fall under the Notifiable Data Breaches scheme.

The deeper issue, beyond today’s patch, is technology debt. A lot of NFP tech stacks grew organically and have no clear owner — a Drupal site nobody updates, a mailing platform on a former staff member’s email, a database on a long-unsupported server. Today’s advisory is a useful prompt to do one specific thing: write down what your tech stack actually is, who has admin access to each piece, and when each piece was last updated. If you don’t know the answer, that is the answer.

This week’s action is concrete: get your Drupal site patched today and confirm with whoever manages it that the fix is on. Longer term, we work with not-for-profits across Australia to clean up exactly this kind of accumulated risk. Have a look at IT Services for Not-for-Profits and get in touch if you’d like a second set of eyes on your stack.