drupal 10.5.12

This is a security release of the Drupal 10 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Critical - PHP object injection - SA-CORE-2026-005
• Drupal core - Moderately critical - Gadget chain - SA-CORE-2026-006
• Drupal core - Less critical - Cache poisoning and open redirect - SA-CORE-2026-007
• Drupal core - Moderately critical - Server-side request forgery - SA-CORE-2026-008
• Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009

Important update information

• This release also updates dependencies for upstream security releases:

  • guzzlehttp/psr7 is updated to 2.10.4 for a guzzlehttp/psr7 security fix.

• Sites using URL discovery for Media oEmbed providers must add an additional media_oembed_discovery_trusted_host_patterns entry to settings.php for their list of known oEmbed providers (like YouTube and Vimeo). It is an array containing a series of regular expressions for matching host names for discovery. It follows the same pattern as the existing trusted hosts settings.

  Example:

  // Only allow URL discovery from example.com.
  $settings['media_oembed_discovery_trusted_host_patterns'] = [
    '^example\.com$',
  ];
  

  Most sites likely use providers.json to define their known oEmbed providers instead, and do not require this change.

Which release do I choose? Security coverage information

• This is likely the final release for 10.5.x. 11.5.x is expected to be end-of-life next week. Sites on Drupal 10.5.x should update immediately to Drupal 10.5.12, and then update to Drupal 10.6 or higher as soon as possible.
• Sites on Drupal 11.3.x should update immediately to Drupal 11.3.12.
• Sites on Drupal 11.2.x should update immediately to Drupal 11.2.14.
• Sites on Drupal 10.6.x should update immediately to Drupal 10.6.11.
• Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage.