Drupal 10.x — End of Life

EOL soon Actively exploited

EOL: Dec 16, 2026in 190d7 releases in this series21 CVEs

Drupal 10.x — All releases

Version	Released	Active support	EOL date	Latest patch	Status
10.6	Dec 17, 2025	Jun 16, 2026	Dec 16, 2026	10.6.10	Active
10.5	Jun 18, 2025	Dec 17, 2025	Jun 17, 2026	10.5.11	EOL soon
10.4	Dec 17, 2024	Jun 18, 2025	Dec 10, 2025	10.4.10	EOL
10.3	Jun 20, 2024	Aug 2, 2024	Jun 16, 2025	10.3.14	EOL
10.2	Dec 15, 2023	Jun 20, 2024	Dec 17, 2024	10.2.12	EOL
10.1	Jun 22, 2023	Dec 15, 2023	Jun 20, 2024	10.1.8	EOL
10.0	Dec 15, 2022	Jun 21, 2023	Dec 15, 2023	10.0.11	EOL

CVEs affecting Drupal 10.x (21)

CVE	Severity	CVSS	EPSS	KEV	Cycle	Description	Published
CVE-2026-9082	CRITICAL	9.8	10.40%	KEV	10.6	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core…	May 20, 2026
CVE-2026-9082	CRITICAL	9.8	10.40%	KEV	10.5	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core…	May 20, 2026
CVE-2026-9082	CRITICAL	9.8	10.40%	KEV	10.0	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core…	May 20, 2026
CVE-2026-9082	CRITICAL	9.8	10.40%	KEV	10.4	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core…	May 20, 2026
CVE-2026-9082	CRITICAL	9.8	10.40%	KEV	10.1	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core…	May 20, 2026
CVE-2026-9082	CRITICAL	9.8	10.40%	KEV	10.2	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core…	May 20, 2026
CVE-2026-9082	CRITICAL	9.8	10.40%	KEV	10.3	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core…	May 20, 2026
CVE-2026-6366	MEDIUM	6.6	0.08%	—	10.2	Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow…	May 19, 2026
CVE-2026-6366	MEDIUM	6.6	0.08%	—	10.5	Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow…	May 19, 2026
CVE-2026-6366	MEDIUM	6.6	0.08%	—	10.4	Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow…	May 19, 2026
CVE-2026-6366	MEDIUM	6.6	0.08%	—	10.3	Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow…	May 19, 2026
CVE-2026-6366	MEDIUM	6.6	0.08%	—	10.1	Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow…	May 19, 2026
CVE-2026-6366	MEDIUM	6.6	0.08%	—	10.0	Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow…	May 19, 2026
CVE-2026-6366	MEDIUM	6.6	0.08%	—	10.6	Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow…	May 19, 2026
CVE-2026-6365	MEDIUM	6.1	0.05%	—	10.5	Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core…	May 19, 2026
CVE-2026-6365	MEDIUM	6.1	0.05%	—	10.6	Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core…	May 19, 2026
CVE-2026-6365	MEDIUM	6.1	0.05%	—	10.0	Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core…	May 19, 2026
CVE-2026-6365	MEDIUM	6.1	0.05%	—	10.1	Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core…	May 19, 2026
CVE-2026-6365	MEDIUM	6.1	0.05%	—	10.2	Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core…	May 19, 2026
CVE-2026-6365	MEDIUM	6.1	0.05%	—	10.3	Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core…	May 19, 2026
CVE-2026-6365	MEDIUM	6.1	0.05%	—	10.4	Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core…	May 19, 2026

Drupal 10.x will reach end of life — migrate to Drupal 11.x

Drupal 11.x is the next major release. Plan your upgrade before Drupal 10.x stops receiving security patches.

See Drupal 11.x

Frequently asked questions

Is Drupal 10 end of life?

Partially. Some Drupal 10.x releases have reached EOL. Check the version table above for the exact status of each sub-release.

What CVEs affect Drupal 10?

There are 21 CVEs tracked for Drupal 10.x, including 7 critical severity issues and 7 listed in the CISA Known Exploited Vulnerabilities catalog. See the full list above with CVSS and EPSS scores.

What is the latest Drupal 10 version?

The latest Drupal 10.x patch release is 10.6.10, released on May 28, 2026. Always run the latest patch to benefit from all security fixes.

How to migrate from Drupal 10 to Drupal 11?

To migrate from Drupal 10 to Drupal 11: (1) review the official Drupal 11 migration guide for breaking changes, (2) update dependencies and configuration accordingly, (3) test thoroughly in a staging environment, (4) deploy with a rollback plan. Starting early gives you time to resolve compatibility issues before your current version reaches end of life.

Is it safe to run Drupal 10 in production?

Drupal 10 is still supported and safe for production use until December 16, 2026. Ensure you are running the latest patch version (10.6.10) to have all security fixes applied.

Data sourced from endoflife.date · CVE data from NVD · EPSS from FIRST.org · KEV from CISA