This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.
This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.
This is a beta release for the final scheduled minor version of Drupal 9. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Beta releases are not recommended for non-technical users, nor for production websites. More information on beta releases.
This is a beta release for the final scheduled minor version of Drupal 9. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Beta releases are not recommended for non-technical users, nor for production websites. More information on beta releases.
This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.
The CKEditor 5 experimental module is being developed for Drupal 10 WYSIWYG editing and depends on the third-party CKEditor 5 JavaScript library. CKEditor has issued a security advisory for CKEditor 5:
Drupal core is only known to be vulnerable when the full HTML format is used with CKEditor within QuickEdit, and the exploit only affects the user who inserts a JavaScript payload. Since full HTML already allows writing JavaScript that can contain cross-site scripting (XSS) payloads, we are treating this update as a public security hardening.
CKEditor 4 is not affected, so sites where only the stable CKEditor module is enabled (with the CKEditor 5 experimental module uninstalled) will not be impacted and do not urgently need to update to this release.
This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.
The CKEditor 5 experimental module is being developed for Drupal 10 WYSIWYG editing and depends on the third-party CKEditor 5 JavaScript library. CKEditor has issued a security advisory for CKEditor 5:
Drupal core is only known to be vulnerable when the full HTML format is used with CKEditor within QuickEdit, and the exploit only affects the user who inserts a JavaScript payload. Since full HTML already allows writing JavaScript that can contain cross-site scripting (XSS) payloads, we are treating this update as a public security hardening.
CKEditor 4 is not affected, so sites where only the stable CKEditor module is used (with the CKEditor 5 experimental module uninstalled) will not be impacted and do not urgently need to update to this release.
Drupal core is unlikely to be vulnerable. This bugfix release updates the version of Diactoros used in drupal/core-recommended to a secure version as a precaution.
The Security Team believes it is unlikely Drupal core or contributed modules are affected, but this release updates the dependency as a security hardening.
The Security Team believes it is unlikely Drupal core or contributed modules are affected, but this release updates the dependency as a security hardening.
This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.
This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:
This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.
This is a beta release for the next minor (feature) release of Drupal 9. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Beta releases are not recommended for non-technical users, nor for production websites. More information on beta releases.
This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:
This is an alpha release for the next minor (feature) release of Drupal 9. Alphas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Alpha releases are not recommended for non-technical users, nor for production websites. More information on alpha releases.
Unsupported development snapshot for the 9.5.x release series.
The 9.5.x branch is now open for new development. 9.5.0 is scheduled for release in December 2022.
Those interested in testing the upcoming 9.4.0 releases of Drupal core should continue to work with the 9.4.x branch until 9.4.0 is released on June 15, 2022.