Drupal released a “highly critical” core security patch this morning AEST (5–9pm UTC, 20 May 2026). Rated 20 out of 25 on Drupal’s own scoring scale, exploitation requires no authentication and no privileged access — the worst-case combination for an internet-facing CMS — per PSA-2026-05-18 and follow-up reporting from The Hacker News. The Drupal Security Team has warned that working exploits could appear within hours or days of the announcement.

If you run Drupal anywhere in your business — main site, member portal, donations page, intranet, a microsite no-one looks at — this is for you. Drupal quietly powers a fair share of Australian not-for-profit, council, university and government web properties. A pre-authentication remote code execution flaw on a public site is also the kind of incident that can trigger the Notifiable Data Breaches scheme if donor or customer data sits behind it.

What to do today. Update each Drupal site to the latest release on its branch right now. Patches are out for 11.3.x, 11.2.x, 10.6.x and 10.5.x. Drupal has also issued best-effort fixes for end-of-life branches — 11.1.9, 10.4.9, 9.5.11 and 8.9.20 — for sites that haven’t moved. Apply those today and put migration to a supported branch on this quarter’s plan. Drupal 7 is not affected, but if you’re still on it, that’s a separate conversation.

Not sure who maintains your Drupal site, or whether anyone is watching the security feed for you? That’s a question worth resolving before the first weaponised exploit hits the scanners. Our Cybersecurity team can help.