Drupal feeds

Freelock Blog: The Night the Internet Tried to Kill Your Website

Drupal Planet -

The Night the Internet Tried to Kill Your Website John Locke Fri, 05/22/2026 - 11:30 May 2026

The rain had been falling on the city for weeks.

Not real rain. The kind that falls on the internet — a constant drumbeat of probes, scans, and automated fists rattling every doorknob on every block, every hour of the day. Most people don't hear it. That's fine. That's what we're here for.

My name doesn't matter. Call me the op. I run a small shop — we keep websites alive, patch the holes before the wrong people find them, and make sure that when something goes sideways, there's always a way back. It's not glamorous work. But this spring? This spring was something else.

The Drop Times: Mike Gifford Says Accessibility Must Be Built Into Workflows Before AI Scales Bad Patterns

Drupal Planet -

Drupal Core Accessibility Maintainer Mike Gifford says organisations risk accelerating inaccessible digital experiences when accessibility remains dependent on isolated advocates instead of embedded governance systems. Speaking as part of The DropTimes’ continuing Global Accessibility Awareness Day coverage, Gifford argued that sustainable accessibility depends on integrating accountability, workflows, testing, and organisational culture directly into development infrastructure before automated systems amplify poor practices at scale.

The Drop Times: Accessibility Contributors Discuss Continuity, Governance, and AI Ahead of GAAD

Drupal Planet -

Ahead of Global Accessibility Awareness Day, contributors associated with A11yTalks and the Drupal community discussed how accessibility initiatives deteriorate when governance, training, and operational responsibility are not sustained over time. The discussions also examined the role of AI-assisted development workflows and why open-source communities often became early spaces for accessibility collaboration and inclusion.

Security advisories: Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Drupal Planet -

Project: Drupal coreDate: 2026-May-20Security risk: Highly critical 20 ∕ 25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: SQL injectionAffected versions: >= 8.9.0 < 10.4.10 || >= 10.5.0 < 10.5.10 || >= 10.6.0 < 10.6.9 || >= 11.0.0 < 11.1.10 || >= 11.2.0 < 11.2.12 || >= 11.3.0 < 11.3.10CVE IDs: CVE-2026-9082Description: 

Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.

This vulnerability can be exploited by anonymous users.

This vulnerability only affects sites using PostgreSQL. However, the dependency updates in this release apply to all sites.

Upstream security advisories

The Drupal releases for supported branches (11.3, 11.2, 10.6, and 10.5) in this advisory also include security updates for Symfony and Twig. Those projects have released important Security Advisories that were coordinated with this Drupal release, and Drupal is affected by some of the vulnerabilities.

Depending on your site configuration and contrib modules, you may be vulnerable to one or more of these upstream issues, so updating these dependencies is highly recommended whether the SQL Injection vulnerability affects you or not. It is also recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules.

Solution: 

Install the latest version.

The following releases will be available as soon as automated release packaging is complete. You may receive a 404 in the interim. The updates may also be available on Packagist sooner.

Drupal 11 Drupal 10 Drupal 9 and 8

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.) Due to this issue's severity, the unsupported releases and patches for unsupported versions are provided as a best effort. Those unsupported versions will still have other, previously disclosed security vulnerabilities.

Reported By: Fixed By: Coordinated By: 

Jacob Rockowitz: Drupal (AI) Playground: AIs are eating our websites, and we need to adapt.

Drupal Planet -

Recently, I contributed an AI-powered Schema.org JSON-LD module to Drupal that uses AI automators to generate Schema.org JSON-LD, building a knowledge graph that improves SEO/AEO by making it easier for machines to understand your website. The module was built with AI in 4 days, whereas the Schema.org Blueprints module with a similar goal took 4 years. I have been so shocked by how efficiently AI can code and build software that I realized, "AI ate my work, and I need to be okay with that." I wrote about how I am adjusting to this new "AI" normal.

A slightly different reckoning is unfolding for our websites because AI is consuming our content, thereby reducing traffic. Providing Schema.org JSON-LD is one way to feed the machines. AIs are becoming the front page of most websites. To adapt to this new "AI" normal, where an AI is the gatekeeper to your website, we need to evolve our approach to building and managing our websites.

Adaptation

Personally, "adaptation" feels like the right word to describe the challenge and change we, developers, site builders, managers, and owners, are facing right now. Adaptation is forced upon us by external constraints or opportunities, depending on your point of view, to evolve our approach to building and sharing information. There is a much larger discussion about the impact of AI on who we are, what we are building, and how we build. For now, I want to focus on what Drupal-built websites need to consider to adapt and keep up with the rapidly evolving digital landscape, which is largely out of our control.

Out of our control

How AIs are consuming our websites is out of our control. If you look back at how websites continually bent and tweaked to get a bump in page ranking, implementing now-defunct things like AMP (Accelerated Mobile Pages) because Google told us to,...Read More

The Drop Times: Drupal Releases SA-CORE-2026-004 Fixing Critical Database Injection Vulnerability

Drupal Planet -

The Drupal Security Team has released SA-CORE-2026-004, confirming that the highly critical issue previewed in yesterday’s advance advisory is an anonymous SQL injection vulnerability affecting Drupal sites running PostgreSQL databases. The flaw, tracked as CVE-2026-9082, exists in Drupal core’s database abstraction API and can lead to information disclosure, privilege escalation, and potentially remote code execution. The coordinated release also includes upstream Symfony and Twig security fixes, prompting update recommendations for all supported Drupal installations regardless of database configuration.

Dries Buytaert: Why Drupal CMS matters

Drupal Planet -

Last week at Drupal South, Pamela Barone delivered a keynote on Drupal CMS. Her talk is one of the clearest articulations I've seen of what Drupal CMS is, why it exists, and where it's headed. That shouldn't come as a surprise because Pam is the Product Lead for Drupal CMS.

Pam quoted a familiar Drupal saying: Drupal makes hard things possible, but it also makes easy things hard.. The room laughed because it's true.

Her keynote makes the case that Drupal CMS is making Drupal easier across the board: visual page editing, a gentler on ramp for new developers, and project economics that finally work for smaller budgets. Larger organizations such as universities, governments, and Fortune 2000 companies want those same advantages, which is why Drupal CMS matters at every scale.

Pam also explains how Drupal CMS sits on top of Drupal Core, why it is not a Drupal distribution, how it gives digital agencies leverage, what site templates unlock, and how Drupal Canvas reshapes the page building experience.

If you watch one Drupal video this week, make it Pam's!

DrupalEasy: Getting comfortable with Gitlab and the Drupal issue queue

Drupal Planet -

Now that some drupal.org projects are having their issue queues moved to Gitlab , this is probably a good time to start getting used to the new interface and all the new functionality. This quicktip covers two important bits that I think most Drupal contributors will want to take note of. Enable notifications If you're an active contributor, then you probably depend on the email notifications that have been sent out by drupal.org when an issue that you're involved in or following has an update. If you're expecting this to just work with Gitlab, you should probably be aware that by default , Gitlab notifications will be configured to be sent to a "no-reply.drupal.org" email address for your Drupal user account - in other words, you won't be getting any notifications. You can easily change this by visiting https://git.drupalcode.org/-/profile/notifications and changing your Global notification email : This page also has (much) more granular notification settings, but for most users

Freelock Blog: Your Website Will Be Attacked. Here's How We Make Sure You Survive It.

Drupal Planet -

Your Website Will Be Attacked. Here's How We Make Sure You Survive It. John Locke Tue, 05/19/2026 - 09:00 The question used to be whether your website would face a serious security threat. That question has been answered. The question now is whether you'll be ready when it happens — and whether you can recover cleanly when something gets through. Sustainable/Open Business

Drupal Association blog: Drupal Association secures Alpha-Omega grant to future-proof Open-Source Security for the AI Era.

Drupal Planet -

We are proud to share that the Drupal Association has been awarded a grant from the Alpha-Omega Project, a project of The Linux Foundation, which seeks to help open source projects identify and mitigate security vulnerabilities.

As AI-generated commits and AI-driven security threats become the norm, open-source ecosystems must evolve rapidly. This funding directly strengthens the already mature Drupal Security Team, ensuring our core ecosystem is hardened against the modern, AI-age vulnerabilities.

The funding provided by Alpha-Omega will enable the Drupal Security Team to build the program we need to stay ahead in this fast moving environment. Drupal’s already excellent security position will be even better going forward.

~ Tim Doyle, CEO at Drupal Association.

Security has been a defining pillar of the Drupal ecosystem. This collaboration with the Alpha-Omega Project underscores our ongoing commitment to open-source resilience, solidifying Drupal's position as the gold standard for secure enterprise content management.

Drupal is, and will continue to be, one of the most secure CMS platforms in the world.

The Drop Times: Python Ports of Drupal API Client and JSON:API Params Streamline AI Workflows

Drupal Planet -

Python has become central to AI systems, automation workflows and data processing, increasing demand for reliable integrations between Drupal and external developer ecosystems. In this contributed article, Drupal architect Vincenzo Gambino discusses the Python ports of Drupal API Client and Drupal JSON:API Params, explaining how cross-language tooling can help Drupal integrate more effectively with AI applications, headless architectures and modern development workflows.

Freelock Blog: The Rules Have Changed: Security in the Age of AI-Assisted Attacks

Drupal Planet -

The Rules Have Changed: Security in the Age of AI-Assisted Attacks John Locke Mon, 05/18/2026 - 19:00 Security is getting dramatically harder and more expensive. AI is simultaneously driving an explosion in vulnerability discovery and weaponizing the exploits that follow. The question for every organization with anything online is no longer whether to invest in resilience — it's whether that investment is already in place before the next incident arrives. Dev Corner

DDEV Blog: Upsun Completes DDEV Trademark Transfer to the DDEV Foundation - THANK YOU!

Drupal Planet -

We're thrilled and thankful to announce that Upsun has completed the transfer of the DDEV trademarks to the DDEV Foundation.

The DDEV Foundation now owns the DDEV name outright, and DDEV's name and identity belong to its community.

A Long Story With a Happy Ending

When we were on the verge of losing the right to use the name "DDEV" several years ago, Platform.sh (now Upsun) stepped in to acquire and hold the trademark on the project's behalf. That act of generosity kept the project alive under its own name. Since then, as documented in our December 2025 post, Upsun had been in the process of transferring that trademark to the DDEV Foundation as the foundation matured into a stable home for the project.

That transfer is now complete.

What This Means

The DDEV Foundation is the independent, community-governed home for the DDEV project. With the trademark in the foundation's hands, DDEV's governance and identity are fully decoupled from any corporate sponsor.

This is exactly the kind of long-term resilience that open-source projects need to thrive across decades, not just years.

You can learn more about the foundation's structure, board, finances, and mission at ddev.com/foundation.

Thank You, Upsun

Upsun/Platform.sh has done so much for this project over the years:

  • Rescued the DDEV trademark when it was at risk
  • Sponsored DDEV at a lead level for several years, funding core development
  • Held and maintained the trademark until the foundation was ready to receive it
  • Completed this transfer now, with no strings attached
  • Continued sponsoring DDEV at $1,000/month level!

This is a real contribution to the open-source ecosystem, and we're grateful for it.

The Foundation Still Needs Your Support

Trademark ownership is a milestone, but it doesn't pay for development. The DDEV Foundation funds the developers who maintain the project you rely on every day — and we still have a funding gap.

We're excited that we've made it to 78% of our monthly sponsorship goal. Here's how you can help to get us over the top:

  • GitHub Sponsors — Fast and flexible, any amount, personal or organizational
  • Support contracts — Priority support while funding the project
  • Custom invoicing — We work with your procurement process
  • One-time contributions — Always welcome

Contact us to talk through what works for your organization, or join the conversation in Discord.

DDEV serves about 20,000 developers every week. Your sponsorship keeps it maintained, secure, and growing.

Claude Code assisted with editing for this post.

Nonprofit Drupal posts: May 2026 Drupal for Nonprofits Chat

Drupal Planet -

Join us THURSDAY, May 21 at 1pm ET / 10am PT, for our regularly scheduled call to chat about all things Drupal and nonprofits. (Convert to your local time zone.)

We don't have anything specific on the agenda this month, so we'll have plenty of time to discuss anything that's on our minds at the intersection of Drupal and nonprofits. Got something specific you want to talk about? Feel free to share ahead of time in our collaborative Google document at https://nten.org/drupal/notes!

All nonprofit Drupal devs and users, regardless of experience level, are always welcome on this call.

This free call is sponsored by NTEN.org and open to everyone.

Information on joining the meeting can be found in our collaborative Google document.

Security public service announcements: Upcoming highly critical release on May 20, 2026 - PSA-2026-05-18

Drupal Planet -

Date: 2026-May-18Description: 

There will be a Drupal core security release for all supported branches on May 20, 2026, between 17:00 and 21:00 UTC. (To see this in your local timezone, refer to the Drupal Core Calendar.) The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days.

The risk is currently rated as:
Highly critical 20 ∕ 25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon.

Not all configurations are affected. Reserve time on May 20 during the release window to determine whether your sites are affected and in need of an immediate update. Mitigation information will be included in the advisory.

We recommend updating to the latest supported patch (bugfix) release for your site's version of Drupal before May 20, so that you can address any other upgrade issues before the security window. (Recommendations for specific Drupal versions follow.)

This issue is being protected by Drupal Steward. Sites that use Drupal Steward are already protected from known attack vectors, but should upgrade in the near future in case additional attack vectors are discovered.

Affected versions Supported core versions

Security releases will be provided for all the currently supported branches of Drupal core, which are:

  • 11.3.x
  • 11.2.x
  • 10.6.x
  • 10.5.x

Sites on one of these supported versions should update to the latest patch release for the given branch now in preparation for the security window.

End-of-life minor core versions (Drupal 10 and 11)

While the Drupal Security Team does not normally provide security releases for unsupported releases, given the severity of the issue, we are providing 11.1.x and 10.4.x releases that include the fix for sites which have not yet had a chance to update. Therefore, in advance of the window:

  • Sites on Drupal 11.1 or 11.0 should update to at least Drupal 11.1.9.
  • Sites on Drupal 10.4, 10.3, 10.2, 10.1, or 10.0 should update to at least Drupal 10.4.9.

These sites should apply the security update as soon as it is released on May 20, then plan to update to Drupal 11.3 or 10.6 in the near future. (Two other recent security advisories, SA-CORE-2026-001 and SA-CORE-2026-002, will not be addressed for 11.1 or 10.4.)

End-of-life major core versions (Drupal 8 and 9)

These major versions are fully end-of-life, so no releases will be created for these branches. However, given the potential severity of this issue, we will provide patch files for Drupal 8.9 and 9.5.

These patches must be applied manually. They are not guaranteed to work correctly, and might introduce other bugs or regressions. However, they may help mitigate the vulnerability for sites still on these old major versions until they upgrade to a supported release.

For the best chance of the patches being applied successfully:

  • Sites on any version of Drupal 9 should update to Drupal 9.5.11.
  • Sites on any version of Drupal 8 should update to Drupal 8.9.20\.

We strongly recommend Drupal 8 or 9 sites update to at least Drupal 10.6 soon. Drupal 8 and 9 include numerous other, previously disclosed security vulnerabilities that will not be addressed by either Drupal Steward or the best-effort patch files.

Drupal 7 is not affected.

Disclosure policy

Neither the Security Team nor any other party is able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.drupal.org/security, on Bluesky, Mastodon, X (formerly Twitter), and LinkedIn, and in email for those who have subscribed to our email list. To subscribe to the email list: log in on Drupal.org, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.

Security release announcements will appear on the Drupal.org security advisory page which also has RSS feeds.

Coordinated By: 

Talking Drupal: Talking Drupal #553 - Saving The Open Web

Drupal Planet -

Today we are talking about The Open Web, What it means, and Why it's important with guest Alex Moreno. We'll also cover AI Schema.org JSON-LD as our module of the week.

For show notes visit: https://www.talkingDrupal.com/553

Topics
  • Defining the Open Web
  • Drupal in a Bubble
  • Marketing and PR Challenges
  • AI Bias Against Drupal
  • Why AI Won't Recommend Drupal
  • Is Drupal AI Native
  • Marketing Against Giants
  • Local Evangelism Push
  • Funding Outreach Trips
  • Drupal CMS PR Gap
  • Templates Lower Barriers
  • Need a Drupal Onramp
  • Speaking Beyond Drupal
  • Web Summit Lessons
  • Sell Problems Not Drupal
  • Rethinking DrupalCon
  • Camps and New Audiences
  • Marketplace Ecosystem Idea
  • Wrap Up and Contacts
Resources Guests

Alex Moreno - alexmoreno

Hosts

Nic Laflin - nLighteneddevelopment.com nicxvan John Picozzi - epam.com johnpicozzi Bernardo Martinez - bernardm28

MOTW Correspondent

Jacob Rockowitz - jrockowitz.com jrockowitz

  • Brief description:
    • The AI Schema.org JSON-LD module provides a straightforward way to send a prompt — including a webpage's content and data, along with instructions and requirements — to an AI provider and receive a response containing valid Schema.org JSON-LD for saving and embedding in a webpage. It's a "glue module" that combines AI Automators, Field Widget Actions, and JSON Field to create an AI-powered Schema.org JSON-LD field for content entities.
  • Module name/project name:
  • Brief history
    • How old: Created in April 2026 by jrockowitz (Jacob Rockowitz) of The Big Blue House
    • Versions available: 1.0.0-alpha1 (requires Drupal ^11.3); 1.0.x-dev branch also available
  • Maintainership
    • Actively maintained Yes — updated as recently as April 30, 2026
    • Security coverage No — not currently covered by Drupal's security advisory policy; use at your own risk
    • Test coverage The module notes that all contributed code must include test coverage, though it is early alpha
    • Documentation Yes — the project page includes setup instructions, implementation guidance, philosophy, and a 2-minute demo video on YouTube
    • Number of open issues: 0 open issues, 0 of which are bugs against the current branch
  • Usage stats:
    • 1 site currently reporting use of this module
  • Module features and usage
    • Adds a native JSON "Schema.org JSON-LD" field to content entities (nodes, media, taxonomy terms)
    • Field is populated via an AI automator triggered by a Field Widget Action, keeping a human in the review loop before saving
    • Stores Schema.org JSON-LD as native JSON data, creating a fully queryable knowledge graph for the site
    • Works with complex nested content structures (paragraphs, components) by having AI parse and generate the structured data
    • Includes an optional sub-module for logging prompts and AI responses for human and AI review and iterative improvement
    • Configurable per entity type/bundle via UI, Drush, or Drupal recipe
    • Philosophy: "Use AI to build a tool that helps AI understand your website while always keeping a human in the loop"
    • Built using AI coding agents (Claude and Codex), with community contributions encouraged — especially around crafting and sharing optimal prompts

Pages

Subscribe to www.hazelbecker.com aggregator - Drupal feeds