Drupal.org aggregatorThe Night the Internet Tried to Kill Your Website John Locke
The rain had been falling on the city for weeks.
Not real rain. The kind that falls on the internet - a constant drumbeat of probes, scans, and automated fists rattling every doorknob on every block, every hour of the day. Most people don't hear it. That's fine. That's what we're here for.
My name doesn't matter. Call me the op. I run a small shop - we keep websites alive, patch the holes before the wrong people find them, and make sure that when something goes sideways, there's always a way back. It's not glamorous work. But this spring? This spring was something else.
22 May 2026 6:30pm GMT
Drupal Core Accessibility Maintainer Mike Gifford says organisations risk accelerating inaccessible digital experiences when accessibility remains dependent on isolated advocates instead of embedded governance systems. Speaking as part of The DropTimes' continuing Global Accessibility Awareness Day coverage, Gifford argued that sustainable accessibility depends on integrating accountability, workflows, testing, and organisational culture directly into development infrastructure before automated systems amplify poor practices at scale.
22 May 2026 2:06pm GMT
Visualization of Drupal Core Change records over the years
How many Drupal Core change records (CR) has there been over the years? Is it a manageable amount for contrib maintainers? How many are about something new or deprecated? This is what it looks like since 2018. For visual effect I grouped CRs in 4 buckets:
theodore
22 May 2026 1:40pm GMT
AI is accelerating content creation, making estate-scale governance critical. Learn the 5 dimensions of content governance and why it must live natively in your CMS.
22 May 2026 12:00pm GMT
Drupal.org aggregatorAhead of Global Accessibility Awareness Day, contributors associated with A11yTalks and the Drupal community discussed how accessibility initiatives deteriorate when governance, training, and operational responsibility are not sustained over time. The discussions also examined the role of AI-assisted development workflows and why open-source communities often became early spaces for accessibility collaboration and inclusion.
21 May 2026 12:54pm GMT
Keyword search struggles with natural language and exploratory questions. Daniel walked the DrupalSouth 2026 audience through how OpenSearch and Skpr enable semantic search that understands intent and meaning, and how Retrieval-Augmented Generation (RAG) transforms results into clear, human-friendly answers grounded in your actual content.
21 May 2026 3:00am GMT
Last week, the PreviousNext team headed over to Wellington for DrupalSouth 2026, and what a week it was.
The highlight of the week was the Splash Awards - and this year, we are honoured to have won:
Congratulations to Lee and Adam! Both deserved the recognition for their active work with the Drupal Community.
The Best in Show win for Cancer Australia makes this a remarkable run. PreviousNext has now won Best in Show three times back to back. Here's the full picture:
Wellington was also a milestone for Skpr's, which officially launched in the New Zealand market at DrupalSouth. If you haven't seen or heard about Skpr yet, now is a good time!
From there, it was all about the Drupal community. We spent the week reconnecting with familiar faces, meeting new ones, and having the kinds of conversations that don't happen over email.
We had six PreviousNext team members take the stage this year:
We were also thrilled to have Lara Saunders from Bond University join us at DrupalSouth this year. It's always great to see clients engage with the broader Drupal community.
We're incredibly proud of the team - and grateful to the clients and community who make this kind of recognition possible. See you all next year on the Gold Coast!
21 May 2026 2:43am GMT
Drupal.org aggregatorDrupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.
A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.
This vulnerability can be exploited by anonymous users.
This vulnerability only affects sites using PostgreSQL. However, the dependency updates in this release apply to all sites.
The Drupal releases for supported branches (11.3, 11.2, 10.6, and 10.5) in this advisory also include security updates for Symfony and Twig. Those projects have released important Security Advisories that were coordinated with this Drupal release, and Drupal is affected by some of the vulnerabilities.
Depending on your site configuration and contrib modules, you may be vulnerable to one or more of these upstream issues, so updating these dependencies is highly recommended whether the SQL Injection vulnerability affects you or not. It is also recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules.
Install the latest version.
The following releases will be available as soon as automated release packaging is complete. You may receive a 404 in the interim. The updates may also be available on Packagist sooner.
Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.) Due to this issue's severity, the unsupported releases and patches for unsupported versions are provided as a best effort. Those unsupported versions will still have other, previously disclosed security vulnerabilities.
20 May 2026 6:08pm GMT
Recently, I contributed an AI-powered Schema.org JSON-LD module to Drupal that uses AI automators to generate Schema.org JSON-LD, building a knowledge graph that improves SEO/AEO by making it easier for machines to understand your website. The module was built with AI in 4 days, whereas the Schema.org Blueprints module with a similar goal took 4 years. I have been so shocked by how efficiently AI can code and build software that I realized, "AI ate my work, and I need to be okay with that." I wrote about how I am adjusting to this new "AI" normal.
A slightly different reckoning is unfolding for our websites because AI is consuming our content, thereby reducing traffic. Providing Schema.org JSON-LD is one way to feed the machines. AIs are becoming the front page of most websites. To adapt to this new "AI" normal, where an AI is the gatekeeper to your website, we need to evolve our approach to building and managing our websites.
Adaptation
Personally, "adaptation" feels like the right word to describe the challenge and change we, developers, site builders, managers, and owners, are facing right now. Adaptation is forced upon us by external constraints or opportunities, depending on your point of view, to evolve our approach to building and sharing information. There is a much larger discussion about the impact of AI on who we are, what we are building, and how we build. For now, I want to focus on what Drupal-built websites need to consider to adapt and keep up with the rapidly evolving digital landscape, which is largely out of our control.
Out of our control
How AIs are consuming our websites is out of our control. If you look back at how websites continually bent and tweaked to get a bump in page ranking, implementing now-defunct things like AMP (Accelerated Mobile Pages) because Google told us to,...Read More
20 May 2026 2:47pm GMT
The Drupal Security Team has released SA-CORE-2026-004, confirming that the highly critical issue previewed in yesterday's advance advisory is an anonymous SQL injection vulnerability affecting Drupal sites running PostgreSQL databases. The flaw, tracked as CVE-2026-9082, exists in Drupal core's database abstraction API and can lead to information disclosure, privilege escalation, and potentially remote code execution. The coordinated release also includes upstream Symfony and Twig security fixes, prompting update recommendations for all supported Drupal installations regardless of database configuration.
20 May 2026 7:10am GMT
Last week at Drupal South, Pamela Barone delivered a keynote on Drupal CMS. Her talk is one of the clearest articulations I've seen of what Drupal CMS is, why it exists, and where it's headed. That shouldn't come as a surprise because Pam is the Product Lead for Drupal CMS.
Pam quoted a familiar Drupal saying: Drupal makes hard things possible, but it also makes easy things hard.
. The room laughed because it's true.
Her keynote makes the case that Drupal CMS is making Drupal easier across the board: visual page editing, a gentler on ramp for new developers, and project economics that finally work for smaller budgets. Larger organizations such as universities, governments, and Fortune 2000 companies want those same advantages, which is why Drupal CMS matters at every scale.
Pam also explains how Drupal CMS sits on top of Drupal Core, why it is not a Drupal distribution, how it gives digital agencies leverage, what site templates unlock, and how Drupal Canvas reshapes the page building experience.
If you watch one Drupal video this week, make it Pam's!
20 May 2026 12:20am GMT
Drupal.org aggregatorNow that some drupal.org projects are having their issue queues moved to Gitlab , this is probably a good time to start getting used to the new interface and all the new functionality. This quicktip covers two important bits that I think most Drupal contributors will want to take note of. Enable notifications If you're an active contributor, then you probably depend on the email notifications that have been sent out by drupal.org when an issue that you're involved in or following has an update. If you're expecting this to just work with Gitlab, you should probably be aware that by default , Gitlab notifications will be configured to be sent to a "no-reply.drupal.org" email address for your Drupal user account - in other words, you won't be getting any notifications. You can easily change this by visiting https://git.drupalcode.org/-/profile/notifications and changing your Global notification email : This page also has (much) more granular notification settings, but for most users
19 May 2026 7:43pm GMT
Your Website Will Be Attacked. Here's How We Make Sure You Survive It.
19 May 2026 4:00pm GMT
We are proud to share that the Drupal Association has been awarded a grant from the Alpha-Omega Project, a project of The Linux Foundation, which seeks to help open source projects identify and mitigate security vulnerabilities.
As AI-generated commits and AI-driven security threats become the norm, open-source ecosystems must evolve rapidly. This funding directly strengthens the already mature Drupal Security Team, ensuring our core ecosystem is hardened against the modern, AI-age vulnerabilities.
The funding provided by Alpha-Omega will enable the Drupal Security Team to build the program we need to stay ahead in this fast moving environment. Drupal's already excellent security position will be even better going forward.
~ Tim Doyle, CEO at Drupal Association.
Security has been a defining pillar of the Drupal ecosystem. This collaboration with the Alpha-Omega Project underscores our ongoing commitment to open-source resilience, solidifying Drupal's position as the gold standard for secure enterprise content management.
Drupal is, and will continue to be, one of the most secure CMS platforms in the world.
19 May 2026 3:27pm GMT
Python has become central to AI systems, automation workflows and data processing, increasing demand for reliable integrations between Drupal and external developer ecosystems. In this contributed article, Drupal architect Vincenzo Gambino discusses the Python ports of Drupal API Client and Drupal JSON:API Params, explaining how cross-language tooling can help Drupal integrate more effectively with AI applications, headless architectures and modern development workflows.
19 May 2026 1:07pm GMT
Is your Drupal website silently accumulating security, performance, or scalability risks? Check out the essential Drupal maintenance best practices enterprises use to keep Drupal 11 websites secure and efficient.
19 May 2026 12:23pm GMT
