Tag1 Releases Drupal 7.104 with Critical Security Fix and PHP 8.4 Support

Tag1 Consulting has officially released Drupal 7.104, marking the first public core update for Drupal 7 since the platform reached end-of-life in January 2025. Available via the D7ES Announcements Page, the release delivers a critical security patch and support for PHP 8.4 as part of its Extended Support program.

Critical JavaScript Vulnerability Fixed

The update resolves a Critical (16/25) JavaScript prototype pollution vulnerability that allowed attackers to inject arbitrary properties into the Object.prototype. This could compromise all objects in a Drupal application. The vulnerability stemmed from the jQuery BBQ library, used in modules like Views, Overlay, and Module Filter. According to Tag1’s advisory, only Overlay was found to be using the library in a vulnerable manner.

The issue was reported by izmeez and patched by the Tag1 D7ES team in collaboration with the Yii community. This release backports a fix from the Backdrop Module filter module in the jQuery BBQ library used by several popular modules, including Views, Overlay and Module Filter.

PHP 8.4 Compatibility Added

Drupal 7.104 also adds support for PHP 8.4, ensuring compatibility with modern infrastructure. Prior to this update, Drupal 7 only supported PHP 8.2, which ceased active support in December 2024. The new release reduces log noise and includes updated configurations, as documented in the D7ES changelog.

Keeping Drupal 7 Secure Post-EOL

Though officially unsupported, Drupal 7 still powers many production sites. Tag1’s Extended Support program provides ongoing security updates, infrastructure compatibility, and maintenance for both core and key contrib modules.

Download links:

• drupal-7.104.tar.gz
• drupal-7.104.zip

For future updates, users can subscribe to the release feed or visit the D7ES Announcements Page.