Releases for Drupal core

This is a patch (bugfix) release of Drupal 10 and is ready for use on production sites. Learn more about Drupal 10.

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

• Drupal core - Moderately critical - Information disclosure - SA-CORE-2023-001

No other fixes are included.

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9. Drupal 10.0.1 is also available.

This is the first supported release of the new Drupal 10 major version, and it is ready for use on production sites! Learn more about Drupal 10 and the Drupal core release cycles.

Drupal 10.0.0 has been released simultaneously with Drupal 9.5.0. Drupal 9.5 has most of the changes that Drupal 10 does, but retains backwards compatibility layers added through Drupal 9.5.0's release. Update to Drupal 9.5 before updating to Drupal 10 for the smoothest upgrade path.

If you are starting a new Drupal project, you have a choice between Drupal 9.5.0 and 10.0.0, and generally should choose Drupal 10 where possible for forward compatibility with future releases.

Regardless of which version you choose now, features will only be added to Drupal 10 minor releases. Plan to adopt Drupal 10 so that you can easily update to Drupal 10.1 and later.

Maintenance release of the Drupal 7 series. Includes bug fixes and small API/feature improvements only (no major, non-backwards-compatible new functionality).

No security fixes are included in this release.

No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.

This is a "hotfix" release to address two bugs in Drupal 7.93.

This is a release candidate for the next major version of Drupal. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

Maintenance release of the Drupal 7 series. Includes bug fixes and small API/feature improvements only (no major, non-backwards-compatible new functionality).

No security fixes are included in this release.

Changes have been made to default.settings.php. More details in the Change Records for major changes below.

No changes have been made to .htaccess, web.config or robots.txt files in this release, so upgrading custom versions of those files is not necessary.

This is a release candidate for the next major version of Drupal. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

This is a beta release for the next major version of Drupal. Drupal 10 beta releases are intended for site owners and module or theme authors to test compatibility and upgrade paths for Drupal 10.0. Beta releases are not intended for production.

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

• Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2022-016

No other fixes are included.

This is a beta release for the final scheduled minor version of Drupal 9. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Beta releases are not recommended for non-technical users, nor for production websites. More information on beta releases.

Maintenance release of the Drupal 7 series. Includes bug fixes and small API/feature improvements only (no major, non-backwards-compatible new functionality).

No security fixes are included in this release.

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

The CKEditor 5 experimental module is being developed for Drupal 10 WYSIWYG editing and depends on the third-party CKEditor 5 JavaScript library. CKEditor has issued a security advisory for CKEditor 5:

• CVE-2022-31175: Cross-site scripting (XSS) caused by the editor instance destroying process

Drupal core is only known to be vulnerable when the full HTML format is used with CKEditor within QuickEdit, and the exploit only affects the user who inserts a JavaScript payload. Since full HTML already allows writing JavaScript that can contain cross-site scripting (XSS) payloads, we are treating this update as a public security hardening.

CKEditor 4 is not affected, so sites where only the stable CKEditor module is enabled (with the CKEditor 5 experimental module uninstalled) will not be impacted and do not urgently need to update to this release.

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal core uses the third-party Diactoros library as its PSR-7 implementation. Diactoros has issued a security advisory:

• CVE-2022-31109: Diactoros before 2.11.1 vulnerable to HTTP Host Header Attack

Drupal core is unlikely to be vulnerable. This bugfix release updates the version of Diactoros used in drupal/core-recommended to a secure version as a precaution. As a reminder, Drupal 9.4 and higher sites should update their third-party Composer dependencies when an upstream security advisory is issued.

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

• Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012

No other changes are included.

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012
• Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013
• Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014
• Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015

No other changes are included.

This is an alpha release for the next major version of Drupal. This alpha release is intended for module or theme authors to test whether their code is compatible with recent significant changes in Drupal 10.0.x. Drupal 10 alpha releases should not be used in production. No upgrade path will be provided between Drupal 10 alpha releases, nor to Drupal 10.0.0-beta1.

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:

• CVE-2022-31090: CURLOPT_HTTPAUTH option not cleared on change of origin
• Change in port should be considered a change in origin

The Security Team believes it is unlikely Drupal core or contributed modules are affected, but this release updates the dependency as a security hardening.

Development branch for the current minor release of Drupal core

This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011

No other fixes are included.

This is an alpha release for the next major version of Drupal. This alpha release is intended for module or theme authors to test whether their code is compatible with recent significant changes in Drupal 10.0.x. Drupal 10 alpha releases should not be used in production. No upgrade path will be provided between Drupal 10 alpha releases, nor to Drupal 10.0.0-beta1.

Maintenance release of the Drupal 7 series. Includes bug fixes and small API/feature improvements only (no major, non-backwards-compatible new functionality).

No security fixes are included in this release.

No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.