21 Apr 2026

feedDrupal.org aggregator

Freelock Blog: When Views meets Drupal Canvas -- getting dynamic content into your Canvas page

When Views meets Drupal Canvas -- getting dynamic content into your Canvas page

a web page with cards that show a similar theme

John Locke

From early days, "views" has been the killer feature of Drupal. Views is a powerful querying tool built into Drupal that allows dynamic lists and displays of content to be created without writing custom code.

dev corner icon
Dev Corner

21 Apr 2026 3:00pm GMT

Jacob Rockowitz: Drupal (AI) Playground: Training and practicing building a module using AI

Successes and failures

I am continually experiencing both successes and failures while playing in my Drupal (AI) playground. My failures usually come from expecting too much of an AI, especially when I ask it to do too many things in a single prompt. My successes with AI come when I keep things useful, simple, and achievable.

Building something useful, simple, and achievable with AI

As I've learned about and maintained new ecosystems in Drupal, I like to review all available plugins. For the Webform module, I created reports for elements, handlers, variants, and exporters. For ECA, I developed an ECA Report module. For the Meta Tag module, I contributed a patch to get a Meta Tag plugin report committed. I think having a way to browse a module's or ecosystem's plugins helps developers understand what tools are available. A Drush command for exporting plugin definitions could be used by both humans and AI.

In the past, creating and maintaining a report could be time-consuming. The new reality is that AI makes it easier to build and maintain simple things like reports. One of the most common anecdotes I hear from non-technical people who "vibe code" is that they are building websites or reports to display information.

My goal was to create a report that lists all plugin managers, plugin definitions, and individual plugin details.

There ain't nothing fancy here

The Plugin Report module I created with AI is nothing special. Claude Code's only challenge was getting the PHP introspection code to pass PHPStan's level 6 coding standards. In many ways, this module served as an exercise to reinforce my ability to guide an AI in the right direction. My biggest...Read More

21 Apr 2026 12:59pm GMT

Specbee: What tools and services you need for a successful Drupal migration

Confused about which Drupal migration tools you actually need? This guide breaks down the essential toolkit and when to bring in expert services.

21 Apr 2026 8:40am GMT

HOOK_DEV_ALTER(): Manage Displays: Canvas vs Display Builder (Part 2)

When building a Drupal site, we want to control how our content looks in different contexts, e.g. the full display for standalone or the card display for overview pages. In Part 2 of this series we compare how Drupal Canvas and Display Builder handle display configuration by building a node display for a blog content type.

21 Apr 2026 8:40am GMT

Smartbees: Automated Website Provisioning

See how we optimized the administrative workflows, making it easy to manage numerous websites simultaneously and launch new instances on demand.

21 Apr 2026 6:48am GMT

Très Bien Blog: Proposal for an LLM policy for Drupal Core contribution

Proposal for an LLM policy for Drupal Core contribution

I've been following and participating in the conversation about applying AI tools to the Drupal core issue queue, and the broader community. I've been listening, reading, and experimenting quite a bit in and out of Drupal. It's been a wild ride since last December and for the past few weeks a few things started to solidify.

theodore

21 Apr 2026 12:30am GMT

20 Apr 2026

feedDrupal.org aggregator

Talking Drupal: Talking Drupal #549 - Catching up with the DDEV Team

In Episode 549, Randy Fay and Stas Zhuk join us to discuss what DDEV is, recent improvements, and where it's headed. Module of the week is the DDEV Drupal Contrib add-on. Randy and Stas discuss priorities like reliability, consistent UX, add-ons discoverability, and new features including revamped ddev share with Cloudflare and rootless Podman support. They also cover coder.ddev.com, a cloud-based DDEV environment built on coder.com for easier onboarding and contribution, plus sustainability, community support, and challenges such as AI-driven PR volume and Stas's development constraints in Ukraine.

For show notes visit: https://www.talkingDrupal.com/549

Topics

Resources

DDEV - https://ddev.com/ DDEV Add-on Registry - https://addons.ddev.com/ Introducing coder.ddev.com: DDEV in the Cloud - https://ddev.com/blog/coder-ddev-com-announcement/ About Stas Zhuk - https://ddev.com/blog/introducing-maintainer-stas/ Power Through Blackouts: How DDEV Community Helped Me in Ukraine - https://ddev.com/blog/power-through-blackouts-ddev-community-support/ Drush command in core - https://www.drupal.org/project/drupal/issues/3453474 Drush's Final Act - https://weitzman.github.io/blog/drush-final-act coder.com - https://coder.com/ Service hosting coder.ddev.com - https://www.hetzner.com/ Funding DDEV - https://ddev.com/blog/sustainability-for-ddev/ Gen AI DDEV newsletter note - https://ddev.com/blog/ddev-march-2026-newsletter/ Sharing Coder.ddev.com workspaces - https://github.com/ddev/coder-ddev/issues/80

Guests

Stas Zhuk - stasadev Randy Fay - ddev.com rfay

Hosts

Nic Laflin - nLighteneddevelopment.com nicxvan John Picozzi - epam.com johnpicozzi Rod Martin - DrupalHelps.com imrodmartin

Module of the Week

with Martin Anderson-Clutz - mandclu.com mandclu

DDEV Drupal Contrib - DDEV integration for developing Drupal contrib projects. As a general philosophy, your contributed module/theme is the center of the universe.

20 Apr 2026 6:00pm GMT

The Drop Times: Sovereignty Expires; Licences Don’t

Europe is finally getting serious about digital sovereignty, and getting it half right. The instinct to "Buy European" is sound, but the frameworks being built around it are solving for the wrong variable. Ownership and headquarters are snapshots; they tell you where power sits today, not where it will sit after the next acquisition. Skype had every European credential imaginable. Microsoft shut it down in 2025.

The missing piece is durability. Dries and Nicholas argue, convincingly, that a sovereignty score without an open-source licensing requirement is a sovereignty score with an expiry date. The GPL licence did not stop Oracle from acquiring Sun Microsystems, but it ensured that MySQL could not be discontinued. MariaDB exists today because someone had the legal right to fork before the deal closed. That right is structural; it does not depend on which flag flies over the headquarters.

The forthcoming Cloud and AI Development Act is the real test. Europe can use it to define what makes sovereignty resilient: open licensing as a hard gate for mission-critical procurement, and supply chain assessments that distinguish between dependencies that can be replaced quickly and those that would take years to rebuild. Anything short of that risks becoming a checklist rather than a strategy.

With that, here are the key stories from the past week.

DISCOVER DRUPAL

EVENT

ORGANIZATION NEWS

DRUPAL COMMUNITY

SECURITY

Additional developments from across the Drupal ecosystem were published during the week. Readers can follow The Drop Times on LinkedIn, Twitter, Bluesky, and Facebook for ongoing updates. The publication is also active on Drupal Slack in the #thedroptimes channel.

Alka Elizabeth
Sub-editor
The Drop Times

20 Apr 2026 2:16pm GMT

Drupal AI Initiative: Drupal Is All In on AI. Now Comes the Hard Part

Original article posted by Christoph Breidert on 1xINTERNET website

Over a decade ago, I co-founded 1xINTERNET on the conviction that Drupal was the best platform for ambitious web applications. That bet paid off. But recently, as AI began disrupting our industry, I found myself facing an unfamiliar feeling: uncertainty. For the first time in my career, the path forward wasn't entirely clear.

If you are a decision-maker navigating this shift, you likely feel the same way. We are all trying to figure out how to leverage AI's huge potential without compromising enterprise security, compliance, or content quality.

The good news is that while the broader AI landscape remains turbulent, the direction for content management systems is becoming clear.

Christoph Breidert

Christoph Breidert
Christoph Breidert facilitating a Drupal AI workshop at DrupalCon Chicago 2026.

When the Drupal AI Initiative was founded in June 2025 by 1xINTERNET, Acquia, DropSolid, FreelyGive, and Salsa Digital, our mission was to chart that exact path. Today, alongside Niels Aers, my role is to manage the AI product direction so that organizations can confidently bring AI into production.

Since the founding, over 30 leading companies have joined the initiative. But a defining moment happened recently at DrupalCon Chicago 2026. During his keynote - the "Driesnote" - Drupal founder Dries Buytaert bluntly asked the community regarding the AI shift: Are you in or are you out?

The undeniable energy from the community and the rapidly intensifying momentum proved one thing: Drupal is all in on AI.

Drupal AI

But what does "all in" actually mean? We aren't just talking about adding superficial features like chatbots or simple text generators. We have built a powerful agentic infrastructure natively into Drupal. This provides us with a robust foundation, allowing organizations to build complex AI applications and deploy autonomous agents capable of executing multi-step workflows on their behalf.

What an Agentic CMS actually requires

Let's be clear: Agentic AI delivers incredible velocity, and every organization from SMEs to global enterprises needs that speed. But deploying autonomous agents without control is a liability. You need AI infrastructure that accelerates your workflows while ensuring that this speed doesn't destroy your content quality or violate your compliance rules.

This requires a robust governance foundation to run the infrastructure safely. The Drupal AI Initiative has spent the past months building exactly that. These are the final pieces we have built to complete the production-ready foundation:

  • AI Guardrails: Configurable rules that intercept both outgoing requests and incoming AI responses. Whether it's preventing the exposure of personal data (PII), ensuring prompt safety, or mitigating legal liability, guardrails keep the AI agents within defined boundaries.
  • AI Observability: Complete transparency into what your AI agents are doing. Every prompt, token usage metric, and model response is logged, providing a clear audit trail for compliance and cost optimization.
  • Context Control Center: AI models are useless without context. This system acts as a router, intelligently feeding the right organizational data (and only the right data) to the LLM based on the user's specific task.

Introducing AI Content Reviews

Let's separate the hype from reality: The core foundation of Drupal AI is production-ready today. With a secure governance infrastructure now in place, we are shifting from building the engine to delivering the applications. We are shipping out-of-the-box features so organizations can immediately benefit without building complex workflows from scratch.

The first major capability rolling out is AI Content Reviews. This is not a future roadmap concept, it is a real, tangible feature designed to close the quality gap for large websites by acting as a continuous, background quality assurance partner.

It provides scalable, AI-assisted content governance that integrates naturally into how editors already work. The system evaluates content against your organization's specific rules, such as brand voice, legal compliance, SEO, and accessibility. It flags issues, explains them in plain language, and proposes concrete fixes. Crucially, human oversight remains the starting point: an editor simply reviews the flagged issues and can apply the suggested fixes with a single click.

AI Review Management Overview
AI Review Management Overview

Upcoming features

AI Content Reviews is just the first application of our agentic infrastructure. Following close behind is AI-powered semantic search with synthesized summaries. This allows visitors to find what they need through meaning rather than keywords, enabling the site to surface direct answers instead of just a list of results.

We are also actively packaging AI assistants embedded natively across editorial workflows, site-building, and end-user interfaces. These capabilities have been thoroughly explored and validated in our innovation workstream and are now being readied for production use.

Want to see the full picture of what we are building? You can explore the complete Drupal AI Roadmap to see exactly where the initiative is heading next.

AI Roadmap
Overview Drupal AI Roadmap 2026.

Drupal's architectural advantage

Why build this directly into Drupal instead of relying on external AI services or other CMS platforms? It comes down to a fundamental technological advantage. Many modern CMS platforms, especially closed SaaS products and pure headless systems, force you to rely on disconnected external API wrappers to communicate with AI. This architectural limitation means your developers have to manually rebuild your existing user permissions, workflows, and access rules in a separate middleware layer just to keep the AI secure.

Drupal AI has a distinct head start because of its deep internal architecture:

  • Co-location with the Content Graph: AI models are only as good as the context they can access. By embedding AI orchestration directly within Drupal, the AI has native, zero-latency access to your entire structured content graph. There is no integration friction.
  • Native Permissions & Access Control: Because Drupal's entity system and field-level access controls are so deeply integrated, the AI operates entirely within your existing permissions. It cannot expose, analyze, or modify content the user shouldn't see.
  • Provider-Agnostic Abstraction: Similar to what makes frameworks like LangChain powerful, Drupal AI abstracts the LLM providers (OpenAI, Anthropic, local models, etc.). But unlike external middle-tiers, Drupal enforces strict schema typing before data ever hits your database, ensuring structural integrity.

An Unmatched Ecosystem for AI Agents: Autonomous agents need tools to interact with the outside world. Because Drupal already possesses a massive, deeply established ecosystem of enterprise integrations, your AI agents can directly interact with your CRMs, ERPs, and marketing platforms. You don't have to build custom API connectors for your AI to take action across your broader tech stack.

Drupal AI areas of focus

Moving forward

The uncertainty of the AI era remains, no one knows exactly what the landscape will look like in three years. I'm being honest about that. But what I do know is that the architecture we are building is solid, the foundation is ready, the community driving it is fully committed and has the resources.

If you are evaluating whether Drupal is the right foundation for AI-powered content management, you don't have to figure that out alone. The Drupal AI Partners network brings together specialized agencies with deep experience deploying exactly these capabilities. If you are ready to move from evaluation to implementation, that is the right place to start.

We are all building in conditions none of us have navigated before.
The difference is what we are building on.

20 Apr 2026 1:28pm GMT

18 Apr 2026

feedDrupal.org aggregator

Dominique De Cooman: Drupal Is No Longer Just a CMS Decision. It’s an AI Infrastructure Decision.

Agents need somewhere to live. And once content becomes data, the CMS that holds it becomes strategic.

18 Apr 2026 10:35am GMT

16 Apr 2026

feedDrupal.org aggregator

The Drop Times: Erdfisch Expands nerdfisch DevBits into Public Drupal Code Archive

Reusable fixes often remain confined to individual projects, forcing developers to solve the same problems repeatedly. erdfisch has expanded its internal DevBits system into a publicly accessible archive, exposing working Drupal code snippets drawn directly from project work. The collection prioritises immediate implementation over explanation, making internal solutions available without reshaping them into long-form documentation.

16 Apr 2026 2:41pm GMT

1xINTERNET blog: Drupal Is All In on AI. Now Comes the Hard Part

I co-founded 1xINTERNET on the conviction that Drupal was the right platform for ambitious web applications. AI changed that certainty. Here is what the Drupal AI Initiative is building, what organizations are getting first, and why the direction is clear.

16 Apr 2026 11:00am GMT

Drupal Starshot blog: Differentiating Marketplace Site Templates and Community Site Templates

Site templates are available through two distinct pathways, each serving different needs within the community.

The official Drupal.org Marketplace provides a curated collection of site templates that meet certain quality standards, and are built on top of Drupal CMS as a foundation.

Community templates offer an alternative pathway for innovation and experimentation without the constraints of the curation process, by publishing the template as a general project on Drupal.org.

Official Marketplace Site Templates

The Drupal.org Marketplace are built on top of Drupal CMS, and curated to provide new users with confidence that they're starting with a consistent, solid and professionally built foundation that follows established best practices.

Key characteristics

  • Templates undergo a review processes

  • Must follow Drupal CMS best practices for security, accessibility (WCAG 2.2 AA), performance, and code quality

  • In the beginning, focus is solely on growing Drupal CMS adoption; site templates accelerate adoption of Drupal CMS by providing context relevant demo content and Drupal Canvas-compatible theme

  • Clear documentation, maintenance commitments, and user support expectations

  • Currently open to Drupal Certified Partners (for organizations) and Ripplemakers (for individuals or very small companies). Apply to become a creator here.

Benefits

  • Consistency for users who need reliable, production-ready starting points

  • Quality assurance through professional review processes

  • Support and maintenance commitments for long-term sustainability

  • Revenue opportunities for professional template creators

  • Sustainability for the Drupal Association through revenue sharing

Community Site Templates

Anyone interested in contributing a template can do so now, by publishing it as a general project on Drupal.org. All free site templates, including marketplace templates, are general projects for packaging and distribution purposes. Community site templates will be considered for inclusion in the Drupal.org Marketplace based on their compatibility with the outlined criteria.

Key characteristics

  • Can be published without formal review or approval

  • Not bound by the same standards as Marketplace templates

  • Can be built using Drupal CMS or Drupal Core

  • Available to all community members

  • Can take risks and explore directions that might not fit Marketplace criteria

Benefits:

  • Innovation by removing barriers to experimentation

  • Diversity of approaches and implementations

  • Learning opportunities for the community to explore what's possible

  • Stepping stones that might eventually evolve into Marketplace templates

  • Lower barriers to entry for community contribution

16 Apr 2026 3:10am GMT

15 Apr 2026

feedDrupal.org aggregator

Security advisories: Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003

Project:
Date:
2026-April-15
Vulnerability:
Cross-site scripting
Affected versions:
>= 11.3.0 < 11.3.7
CVE IDs:
CVE-2026-6367
Description:

Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5.

The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user.

Solution:

Install the latest version:

  • If you use Drupal 11.3.x, update to Drupal 11.3.7
  • Drupal versions below 11.3 are not affected by this vulnerability
Fixed By:
Coordinated By:

15 Apr 2026 7:27pm GMT

Security advisories: Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002

Project:
Date:
2026-April-15
Vulnerability:
Gadget Chain
Affected versions:
>= 8.0.0 < 10.5.9 || >= 10.6.0 < 10.6.7 || >= 11.0.0 < 11.2.11 || >= 11.3.0 < 11.3.7
CVE IDs:
CVE-2026-6366
Description:

Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application deserializes untrusted data due to another vulnerability.

This issue is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

Solution:

Install the latest version:

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Fixed By:
Coordinated By:

15 Apr 2026 7:25pm GMT

Security advisories: Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001

Project:
Date:
2026-April-15
Vulnerability:
Cross-site scripting
Affected versions:
>= 8.0.0 < 10.5.9 || >= 10.6.0 < 10.6.7 || >= 11.0.0 < 11.2.11 || >= 11.3.0 < 11.3.7
CVE IDs:
CVE-2026-6365
Description:

Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting (XSS) vulnerability.

Solution:

Install the latest version:

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Fixed By:
Coordinated By:

15 Apr 2026 7:24pm GMT