Drupal 8.x — End of Life
EOL Actively exploitedDrupal 8.x — All releases
| Version | Released | Active support | EOL date | Latest patch | Status |
|---|---|---|---|---|---|
| 8.9 | Jun 3, 2020 | Dec 1, 2020 | Nov 2, 2021 | 8.9.20 | EOL |
| 8.8 | Dec 4, 2019 | Jun 3, 2020 | Dec 1, 2020 | 8.8.12 | EOL |
CVEs affecting Drupal 8.x (5)
| CVE | Severity | CVSS | EPSS | KEV | Cycle | Description | Published |
|---|---|---|---|---|---|---|---|
| CVE-2026-9082 | CRITICAL | 9.8 | 10.40% | KEV | 8.9 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core… | May 20, 2026 |
| CVE-2026-6366 | MEDIUM | 6.6 | 0.08% | — | 8.9 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow… | May 19, 2026 |
| CVE-2026-6366 | MEDIUM | 6.6 | 0.08% | — | 8.8 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow… | May 19, 2026 |
| CVE-2026-6365 | MEDIUM | 6.1 | 0.05% | — | 8.9 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core… | May 19, 2026 |
| CVE-2026-6365 | MEDIUM | 6.1 | 0.05% | — | 8.8 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core… | May 19, 2026 |
Drupal 8.x is EOL — migrate to Drupal 9.x
Drupal 9.x is the next major release. Plan your upgrade before Drupal 8.x stops receiving security patches.
Frequently asked questions
Is Drupal 8 end of life?
Yes. All Drupal 8.x releases have reached end of life and no longer receive security patches. There are 5 known CVEs affecting Drupal 8.x, including 1 critical. Migrate to Drupal 9.x as soon as possible.
What CVEs affect Drupal 8?
There are 5 CVEs tracked for Drupal 8.x, including 1 critical severity issue and 1 listed in the CISA Known Exploited Vulnerabilities catalog. See the full list above with CVSS and EPSS scores.
What is the latest Drupal 8 version?
The latest Drupal 8.x patch release is 8.9.20, released on November 17, 2021. Always run the latest patch to benefit from all security fixes.
How to migrate from Drupal 8 to Drupal 9?
To migrate from Drupal 8 to Drupal 9: (1) review the official Drupal 9 migration guide for breaking changes, (2) update dependencies and configuration accordingly, (3) test thoroughly in a staging environment, (4) deploy with a rollback plan. Starting early gives you time to resolve compatibility issues before your current version reaches end of life.
Is it safe to run Drupal 8 in production?
No. Drupal 8 has reached end of life and security vulnerabilities are no longer patched. Critically, 1 CVE affecting Drupal 8.x is in the CISA KEV catalog — meaning they are actively exploited in the wild. Upgrade to a supported version immediately.
Data sourced from endoflife.date · CVE data from NVD · EPSS from FIRST.org · KEV from CISA