Skip to main content


Drupal CMS Vulnerability and Security Updates, issued June 01, 2021

Drupal has released security updates to address a vulnerability affecting Drupal CMS 8.9, 9.0, and 9.1 versions. Successful exploitation of these vulnerabilities could allow for remote code execution or an attacker could take control of an unpatched system.

Security Risks
Drupal core uses the third-party CKEditor library. The library prior to CKEditor 4.16.1 has an error in parsing HTML that could lead to a Cross Site Scripting (XSS) attack. However, CKEditor 4.16.1, and later, include the security fix.

The National Cyber Security Authority recommends all Drupal users and administrators to install the latest version as follows:

Versions of Drupal 7 and 8 prior to 8.9.x are end-of-life and no longer receive security updates and patches.

  • Where Drupal versions in use are at end-of-life, you are advised to install immediately Drupal 9.1.9, which is the latest stable release of Drupal core.

System administrators should continually check for software versions and update as new versions become available.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to or call us on 9009

Drupal Core - Security Advisories