Security

Drupal security advisories are now listed in the OSV.dev database, providing a major boost to automated vulnerability detection and package ecosystem compatibility. This new distribution channel complements existing tools and reflects a cross-community effort to modernize security monitoring for Drupal sites. ...more

Tag1 has released Drupal 7.104, the first public core update since Drupal 7’s end-of-life, patching a critical JavaScript prototype pollution flaw and adding PHP 8.4 compatibility through its Extended Support program. ...more

Drupal has issued four moderately critical security advisories addressing Denial of Service, Gadget Chain, Defacement, and Information Disclosure vulnerabilities. All issues affect multiple Drupal core versions, with updates available for supported branches 10.4, 10.5, 11.1, and 11.2. Site administrators are urged to update to the latest patched versions to ensure stability and security. Each vulnerability has distinct risk vectors and mitigations, including cache poisoning and potential exposure of sensitive files. ...more

The Drupal Security Team has rescheduled the upcoming core security release window to November 12, 2025, to avoid overlap with DrupalCon events. No critical vulnerabilities are involved, and no release is guaranteed. ...more

A DrupalSouth article explores the perception of open source as risky and shows how Drupal’s security practices challenge that view. With a global team, predictable advisories, and secure defaults, Drupal proves that open source can be both transparent and resilient. ...more

Container security in production demands more than convenience – it demands vigilance. From image vulnerability scanning and strict Kubernetes policies to real‑time runtime monitoring, this post outlines the essentials tools and practices every team should adopt to protect their infrastructure. Ignore them at your peril. ...more

The InfoSec Tribune breaks down Drupalgeddon 2, a critical RCE vulnerability in Drupal 7 and 8. Learn how one insecure function led to global exploitation, millions in damages, and enduring lessons for web security. ...more

A recent supply chain attack on NPM packages exploited maintainer accounts to publish trojan-injected updates. The Drupal Security Team reports that Drupal itself is unaffected but advises site owners to audit third-party dependencies. ...more

Ensure PCI DSS v4.0 compliance on your Drupal Commerce site using a Content Security Policy (CSP). Learn how CSP headers and the Security Kit module help protect payment pages from client-side threats like XSS and unauthorised scripts. ...more

Lullabot’s David Burns reveals how a state government platform transformed its Drupal maintenance with automation. Using Renovate and continuous updates, the team slashed module update work, reduced patch debt by 68%, improved security, and freed developers to focus on high-value projects — setting a new standard for efficient Drupal site management. ...more

Alex Lyzo shares a hands-on guide to securing Drupal sites—from update routines to login protection and role audits. Learn which modules to use, what mistakes to avoid, and how to layer your defenses effectively. ...more

Is your enterprise website ready for 2025’s compliance standards? From HIPAA-mandated safeguards to ISO 27001 certification, meeting modern data security expectations isn’t optional—it’s a business requirement. This guide breaks down exactly what your site needs to stay secure, avoid penalties, and win trust in a privacy-first world. ...more