drupal 9.5.11

Security update

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

No other fixes are included.

drupal 9.5.10

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9. Drupal 10.0.9 is also available.

drupal 9.4.15

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

drupal 9.5.9

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9. Drupal 10.0.9 is also available.

drupal 9.4.14

Security update
Insecure

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

No other fixes are included.

drupal 9.5.8

Security update
Insecure

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

No other fixes are included.

drupal 9.5.7

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9. Drupal 10.0.7 is also available.

drupal 9.4.13

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

drupal 9.5.6

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9. Drupal 10.0.6 is also available.

drupal 9.4.12

Security update
Insecure

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

No other fixes are included.

drupal 9.5.5

Security update
Insecure

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

No other fixes are included.

drupal 9.5.4

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9. Drupal 10.0.4 is also available.

drupal 9.4.11

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

drupal 9.5.3

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9. Drupal 10.0.3 is also available.

drupal 9.4.10

Security update
Insecure

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

No other fixes are included.

drupal 9.5.2

Security update
Insecure

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

No other fixes are included.

drupal 9.5.1

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9. Drupal 10.0.1 is also available.

drupal 9.5.0

Bug fixes
New features
Insecure

This is the final minor version (feature release) of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9 and the Drupal core release cycle.

drupal 9.5.0-rc2

Bug fixes
New features
Insecure

This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

drupal 9.4.9

Bug fixes
Insecure
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

drupal 9.5.0-rc1

Bug fixes
New features
Insecure

This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

drupal 9.4.8

Bug fixes
Insecure
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

drupal 9.5.0-beta2

Bug fixes
New features
Insecure

This is a beta release for the final scheduled minor version of Drupal 9. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Beta releases are not recommended for non-technical users, nor for production websites. More information on beta releases.

drupal 9.4.7

Insecure
Security update

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

No other fixes are included.

drupal 9.3.22

Security update
Insecure
Insecure

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

No other fixes are included.

drupal 9.4.6

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

drupal 9.5.0-beta1

Bug fixes
New features
Insecure

This is a beta release for the final scheduled minor version of Drupal 9. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Beta releases are not recommended for non-technical users, nor for production websites. More information on beta releases.

drupal 9.4.5

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

The CKEditor 5 experimental module is being developed for Drupal 10 WYSIWYG editing and depends on the third-party CKEditor 5 JavaScript library. CKEditor has issued a security advisory for CKEditor 5:

Drupal core is only known to be vulnerable when the full HTML format is used with CKEditor within QuickEdit, and the exploit only affects the user who inserts a JavaScript payload. Since full HTML already allows writing JavaScript that can contain cross-site scripting (XSS) payloads, we are treating this update as a public security hardening.

CKEditor 4 is not affected, so sites where only the stable CKEditor module is enabled (with the CKEditor 5 experimental module uninstalled) will not be impacted and do not urgently need to update to this release.

drupal 9.3.21

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

The CKEditor 5 experimental module is being developed for Drupal 10 WYSIWYG editing and depends on the third-party CKEditor 5 JavaScript library. CKEditor has issued a security advisory for CKEditor 5:

Drupal core is only known to be vulnerable when the full HTML format is used with CKEditor within QuickEdit, and the exploit only affects the user who inserts a JavaScript payload. Since full HTML already allows writing JavaScript that can contain cross-site scripting (XSS) payloads, we are treating this update as a public security hardening.

CKEditor 4 is not affected, so sites where only the stable CKEditor module is used (with the CKEditor 5 experimental module uninstalled) will not be impacted and do not urgently need to update to this release.

drupal 9.4.4

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal core uses the third-party Diactoros library as its PSR-7 implementation. Diactoros has issued a security advisory:

Drupal core is unlikely to be vulnerable. This bugfix release updates the version of Diactoros used in drupal/core-recommended to a secure version as a precaution. As a reminder, Drupal 9.4 and higher sites should update their third-party Composer dependencies when an upstream security advisory is issued.

drupal 9.3.20

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal core uses the third-party Diactoros library as its PSR-7 implementation. Diactoros has issued a security advisory:

Drupal core is unlikely to be vulnerable. This bugfix release updates the version of Diactoros used in drupal/core-recommended to a secure version as a precaution.

drupal 9.3.18

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

drupal 9.4.2

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

drupal 9.3.17

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:

The Security Team believes it is unlikely Drupal core or contributed modules are affected, but this release updates the dependency as a security hardening.

drupal 9.4.1

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:

The Security Team believes it is unlikely Drupal core or contributed modules are affected, but this release updates the dependency as a security hardening.

drupal 9.4.0

Insecure
Bug fixes
New features

This is a minor version (feature release) of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9 and the Drupal core release cycle.

drupal 9.4.0-rc2

Security update
Bug fixes
Insecure

This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

drupal 9.2.21

Security update
Insecure

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

No other fixes are included.

drupal 9.3.16

Security update
Insecure

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

No other fixes are included.

drupal 9.4.0-rc1

Bug fixes
New features
Insecure

This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

drupal 9.3.15

Bug fixes
Insecure
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

drupal 9.4.0-beta1

Bug fixes
New features
Insecure

This is a beta release for the next minor (feature) release of Drupal 9. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Beta releases are not recommended for non-technical users, nor for production websites. More information on beta releases.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

drupal 9.2.20

Security update
Insecure
Insecure
Insecure

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

No other fixes are included.

drupal 9.3.14

Security update
Insecure
Insecure

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

No other fixes are included.

drupal 9.2.19

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

drupal 9.3.13

Bug fixes
Insecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

drupal 9.4.0-alpha1

Insecure
Bug fixes
New features

This is an alpha release for the next minor (feature) release of Drupal 9. Alphas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Alpha releases are not recommended for non-technical users, nor for production websites. More information on alpha releases.

drupal 9.5.x-dev

Bug fixes
New features

Unsupported development snapshot for the 9.5.x release series.

The 9.5.x branch is now open for new development. 9.5.0 is scheduled for release in December 2022.

Those interested in testing the upcoming 9.4.0 releases of Drupal core should continue to work with the 9.4.x branch until 9.4.0 is released on June 15, 2022.

See the current development schedule for information on current and upcoming releases.

Pages

Subscribe with RSS Subscribe to Releases for Drupal core