Drupal 9.x — End of Life
EOL Actively exploitedDrupal 9.x — All releases
| Version | Released | Active support | EOL date | Latest patch | Status |
|---|---|---|---|---|---|
| 9.5 | Dec 15, 2022 | Jun 21, 2023 | Nov 1, 2023 | 9.5.11 | EOL |
| 9.4 | Jun 15, 2022 | Dec 14, 2022 | Jun 21, 2023 | 9.4.15 | EOL |
| 9.3 | Dec 8, 2021 | Jun 15, 2022 | Dec 14, 2022 | 9.3.22 | EOL |
| 9.2 | Jun 16, 2021 | Dec 8, 2021 | Jun 15, 2022 | 9.2.21 | EOL |
| 9.1 | Dec 2, 2020 | Jun 16, 2021 | Dec 8, 2021 | 9.1.15 | EOL |
| 9.0 | Jun 3, 2020 | Dec 2, 2020 | Jun 16, 2021 | 9.0.14 | EOL |
CVEs affecting Drupal 9.x (18)
| CVE | Severity | CVSS | EPSS | KEV | Cycle | Description | Published |
|---|---|---|---|---|---|---|---|
| CVE-2026-9082 | CRITICAL | 9.8 | 10.40% | KEV | 9.5 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core… | May 20, 2026 |
| CVE-2026-9082 | CRITICAL | 9.8 | 10.40% | KEV | 9.2 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core… | May 20, 2026 |
| CVE-2026-9082 | CRITICAL | 9.8 | 10.40% | KEV | 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core… | May 20, 2026 |
| CVE-2026-9082 | CRITICAL | 9.8 | 10.40% | KEV | 9.1 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core… | May 20, 2026 |
| CVE-2026-9082 | CRITICAL | 9.8 | 10.40% | KEV | 9.4 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core… | May 20, 2026 |
| CVE-2026-9082 | CRITICAL | 9.8 | 10.40% | KEV | 9.0 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core… | May 20, 2026 |
| CVE-2026-6366 | MEDIUM | 6.6 | 0.08% | — | 9.3 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow… | May 19, 2026 |
| CVE-2026-6366 | MEDIUM | 6.6 | 0.08% | — | 9.1 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow… | May 19, 2026 |
| CVE-2026-6366 | MEDIUM | 6.6 | 0.08% | — | 9.0 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow… | May 19, 2026 |
| CVE-2026-6366 | MEDIUM | 6.6 | 0.08% | — | 9.4 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow… | May 19, 2026 |
| CVE-2026-6366 | MEDIUM | 6.6 | 0.08% | — | 9.2 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow… | May 19, 2026 |
| CVE-2026-6366 | MEDIUM | 6.6 | 0.08% | — | 9.5 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allow… | May 19, 2026 |
| CVE-2026-6365 | MEDIUM | 6.1 | 0.05% | — | 9.1 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core… | May 19, 2026 |
| CVE-2026-6365 | MEDIUM | 6.1 | 0.05% | — | 9.5 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core… | May 19, 2026 |
| CVE-2026-6365 | MEDIUM | 6.1 | 0.05% | — | 9.2 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core… | May 19, 2026 |
| CVE-2026-6365 | MEDIUM | 6.1 | 0.05% | — | 9.3 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core… | May 19, 2026 |
| CVE-2026-6365 | MEDIUM | 6.1 | 0.05% | — | 9.4 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core… | May 19, 2026 |
| CVE-2026-6365 | MEDIUM | 6.1 | 0.05% | — | 9.0 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core… | May 19, 2026 |
Drupal 9.x is EOL — migrate to Drupal 10.x
Drupal 10.x is the next major release. Plan your upgrade before Drupal 9.x stops receiving security patches.
Frequently asked questions
Is Drupal 9 end of life?
Yes. All Drupal 9.x releases have reached end of life and no longer receive security patches. There are 18 known CVEs affecting Drupal 9.x, including 6 critical. Migrate to Drupal 10.x as soon as possible.
What CVEs affect Drupal 9?
There are 18 CVEs tracked for Drupal 9.x, including 6 critical severity issues and 6 listed in the CISA Known Exploited Vulnerabilities catalog. See the full list above with CVSS and EPSS scores.
What is the latest Drupal 9 version?
The latest Drupal 9.x patch release is 9.5.11, released on September 19, 2023. Always run the latest patch to benefit from all security fixes.
How to migrate from Drupal 9 to Drupal 10?
To migrate from Drupal 9 to Drupal 10: (1) review the official Drupal 10 migration guide for breaking changes, (2) update dependencies and configuration accordingly, (3) test thoroughly in a staging environment, (4) deploy with a rollback plan. Starting early gives you time to resolve compatibility issues before your current version reaches end of life.
Is it safe to run Drupal 9 in production?
No. Drupal 9 has reached end of life and security vulnerabilities are no longer patched. Critically, 6 CVEs affecting Drupal 9.x are in the CISA KEV catalog — meaning they are actively exploited in the wild. Upgrade to a supported version immediately.
Data sourced from endoflife.date · CVE data from NVD · EPSS from FIRST.org · KEV from CISA