Drupal Warns of Critical Core Patch on May 20 — Exploits Expected Within Hours

Drupal has announced a critical core security release for all supported branches scheduled for May 20, 2026, between 17:00–21:00 UTC. The Drupal Security Team explicitly warns that exploits could be developed within hours or days of the patch being published. Not all site configurations are confirmed to be affected, but the severity warrants proactive preparation regardless. Administrators of Drupal sites should reserve patching time during the release window and be ready to apply updates immediately. Automated deployment pipelines for Drupal environments should be tested in advance so patches can be rolled out with minimal delay after release.