Drupal 11.x — End of Life
EOL soon Actively exploitedDrupal 11.x — All releases
| Version | Released | Active support | EOL date | Latest patch | Status |
|---|---|---|---|---|---|
| 11.3 | Dec 17, 2025 | Jun 16, 2026 | Dec 16, 2026 | 11.3.11 | Active |
| 11.2 | Jun 18, 2025 | Dec 10, 2025 | Jun 17, 2026 | 11.2.13 | EOL soon |
| 11.1 | Dec 16, 2024 | Jun 18, 2025 | Dec 10, 2025 | 11.1.10 | EOL |
| 11.0 | Aug 2, 2024 | Dec 16, 2024 | Jun 16, 2025 | 11.0.13 | EOL |
CVEs affecting Drupal 11.x (13)
| CVE | Severity | CVSS | EPSS | KEV | Cycle | Description | Published |
|---|---|---|---|---|---|---|---|
| CVE-2026-9082 | CRITICAL | 9.8 | 10.40% | KEV | 11.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core… | May 20, 2026 |
| CVE-2026-9082 | CRITICAL | 9.8 | 10.40% | KEV | 11.2 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core… | May 20, 2026 |
| CVE-2026-9082 | CRITICAL | 9.8 | 10.40% | KEV | 11.1 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core… | May 20, 2026 |
| CVE-2026-9082 | CRITICAL | 9.8 | 10.40% | KEV | 11.0 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core… | May 20, 2026 |
| CVE-2026-6366 | MEDIUM | 6.6 | 0.08% | — | 11.0 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow… | May 19, 2026 |
| CVE-2026-6366 | MEDIUM | 6.6 | 0.08% | — | 11.2 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow… | May 19, 2026 |
| CVE-2026-6366 | MEDIUM | 6.6 | 0.08% | — | 11.1 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow… | May 19, 2026 |
| CVE-2026-6366 | MEDIUM | 6.6 | 0.08% | — | 11.3 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow… | May 19, 2026 |
| CVE-2026-6367 | MEDIUM | 6.1 | 0.03% | — | 11.3 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core… | May 19, 2026 |
| CVE-2026-6365 | MEDIUM | 6.1 | 0.05% | — | 11.2 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core… | May 19, 2026 |
| CVE-2026-6365 | MEDIUM | 6.1 | 0.05% | — | 11.3 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core… | May 19, 2026 |
| CVE-2026-6365 | MEDIUM | 6.1 | 0.05% | — | 11.0 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core… | May 19, 2026 |
| CVE-2026-6365 | MEDIUM | 6.1 | 0.05% | — | 11.1 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core… | May 19, 2026 |
Frequently asked questions
Is Drupal 11 end of life?
Partially. Some Drupal 11.x releases have reached EOL. Check the version table above for the exact status of each sub-release.
What CVEs affect Drupal 11?
There are 13 CVEs tracked for Drupal 11.x, including 4 critical severity issues and 4 listed in the CISA Known Exploited Vulnerabilities catalog. See the full list above with CVSS and EPSS scores.
What is the latest Drupal 11 version?
The latest Drupal 11.x patch release is 11.3.11, released on May 28, 2026. Always run the latest patch to benefit from all security fixes.
When was Drupal 11 first released?
Drupal 11.0 was initially released on December 17, 2025. See the full version timeline in the table above.
Is it safe to run Drupal 11 in production?
Drupal 11 is still supported and safe for production use until December 16, 2026. Ensure you are running the latest patch version (11.3.11) to have all security fixes applied.
Data sourced from endoflife.date · CVE data from NVD · EPSS from FIRST.org · KEV from CISA