Planet Drupal

The Night the Internet Tried to Kill Your Website John Locke Fri, 05/22/2026 - 11:30 May 2026

The rain had been falling on the city for weeks.

Not real rain. The kind that falls on the internet — a constant drumbeat of probes, scans, and automated fists rattling every doorknob on every block, every hour of the day. Most people don't hear it. That's fine. That's what we're here for.

My name doesn't matter. Call me the op. I run a small shop — we keep websites alive, patch the holes before the wrong people find them, and make sure that when something goes sideways, there's always a way back. It's not glamorous work. But this spring? This spring was something else.

• Read more about The Night the Internet Tried to Kill Your Website
• Add new comment

Drupal Core Accessibility Maintainer Mike Gifford says organisations risk accelerating inaccessible digital experiences when accessibility remains dependent on isolated advocates instead of embedded governance systems. Speaking as part of The DropTimes’ continuing Global Accessibility Awareness Day coverage, Gifford argued that sustainable accessibility depends on integrating accountability, workflows, testing, and organisational culture directly into development infrastructure before automated systems amplify poor practices at scale.

Visualization of Drupal Core Change records over the years

How many Drupal Core change records (CR) has there been over the years? Is it a manageable amount for contrib maintainers?  How many are about something new or deprecated? This is what it looks like since 2018. For visual effect I grouped CRs in 4 buckets: 

theodore May 22, 2026

AI is accelerating content creation, making estate-scale governance critical. Learn the 5 dimensions of content governance and why it must live natively in your CMS.

Ahead of Global Accessibility Awareness Day, contributors associated with A11yTalks and the Drupal community discussed how accessibility initiatives deteriorate when governance, training, and operational responsibility are not sustained over time. The discussions also examined the role of AI-assisted development workflows and why open-source communities often became early spaces for accessibility collaboration and inclusion.

Keyword search struggles with natural language and exploratory questions. Daniel walked the DrupalSouth 2026 audience through how OpenSearch and Skpr enable semantic search that understands intent and meaning, and how Retrieval-Augmented Generation (RAG) transforms results into clear, human-friendly answers grounded in your actual content.

by daniel.veza / 21 May 2026

 

Last week, the PreviousNext team headed over to Wellington for DrupalSouth 2026, and what a week it was.

by ana.beltran / 21 May 2026

The highlight of the week was the Splash Awards - and this year, we are honoured to have won:

• Best in Government with Cancer Australia for the GovCMS PaaS project we did in collaboration with Paper Moose
• Best in Show with Cancer Australia
• Community People's Choice Award - Adam Bramley (jointly awarded to Nicole Ritchie)
• Hall of Fame - Lee Rowlands

Congratulations to Lee and Adam! Both deserved the recognition for their active work with the Drupal Community.

The Best in Show win for Cancer Australia makes this a remarkable run. PreviousNext has now won Best in Show three times back to back. Here's the full picture:

Read more

Project: Drupal coreDate: 2026-May-20Security risk: Highly critical 20 ∕ 25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: SQL injectionAffected versions: >= 8.9.0 < 10.4.10 || >= 10.5.0 < 10.5.10 || >= 10.6.0 < 10.6.9 || >= 11.0.0 < 11.1.10 || >= 11.2.0 < 11.2.12 || >= 11.3.0 < 11.3.10CVE IDs: CVE-2026-9082Description: 

Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.

This vulnerability can be exploited by anonymous users.

This vulnerability only affects sites using PostgreSQL. However, the dependency updates in this release apply to all sites.

Upstream security advisories

The Drupal releases for supported branches (11.3, 11.2, 10.6, and 10.5) in this advisory also include security updates for Symfony and Twig. Those projects have released important Security Advisories that were coordinated with this Drupal release, and Drupal is affected by some of the vulnerabilities.

Read more

Recently, I contributed an AI-powered Schema.org JSON-LD module to Drupal that uses AI automators to generate Schema.org JSON-LD, building a knowledge graph that improves SEO/AEO by making it easier for machines to understand your website. The module was built with AI in 4 days, whereas the Schema.org Blueprints module with a similar goal took 4 years. I have been so shocked by how efficiently AI can code and build software that I realized, "AI ate my work, and I need to be okay with that." I wrote about how I am adjusting to this new "AI" normal.

A slightly different reckoning is unfolding for our websites because AI is consuming our content, thereby reducing traffic. Providing Schema.org JSON-LD is one way to feed the machines. AIs are becoming the front page of most websites. To adapt to this new "AI" normal, where an AI is the gatekeeper to your website, we need to evolve our approach to building and managing our websites.

Adaptation

Personally, "adaptation" feels like the right word to describe the challenge and change we, developers, site builders, managers, and owners, are facing right now. Adaptation is forced upon us by external constraints or opportunities, depending on your point of view, to evolve our approach to building and sharing information. There is a much larger discussion about the impact of AI on who we are, what we are building, and how we build. For now, I want to focus on what Drupal-built websites need to consider to adapt and keep up with the rapidly evolving digital landscape, which is largely out of our control.

Out of our control

Read more

The Drupal Security Team has released SA-CORE-2026-004, confirming that the highly critical issue previewed in yesterday’s advance advisory is an anonymous SQL injection vulnerability affecting Drupal sites running PostgreSQL databases. The flaw, tracked as CVE-2026-9082, exists in Drupal core’s database abstraction API and can lead to information disclosure, privilege escalation, and potentially remote code execution. The coordinated release also includes upstream Symfony and Twig security fixes, prompting update recommendations for all supported Drupal installations regardless of database configuration.

Last week at Drupal South, Pamela Barone delivered a keynote on Drupal CMS. Her talk is one of the clearest articulations I've seen of what Drupal CMS is, why it exists, and where it's headed. That shouldn't come as a surprise because Pam is the Product Lead for Drupal CMS.

Pam quoted a familiar Drupal saying: Drupal makes hard things possible, but it also makes easy things hard.. The room laughed because it's true.

Her keynote makes the case that Drupal CMS is making Drupal easier across the board: visual page editing, a gentler on ramp for new developers, and project economics that finally work for smaller budgets. Larger organizations such as universities, governments, and Fortune 2000 companies want those same advantages, which is why Drupal CMS matters at every scale.

Pam also explains how Drupal CMS sits on top of Drupal Core, why it is not a Drupal distribution, how it gives digital agencies leverage, what site templates unlock, and how Drupal Canvas reshapes the page building experience.

If you watch one Drupal video this week, make it Pam's!

Now that some drupal.org projects are having their issue queues moved to Gitlab , this is probably a good time to start getting used to the new interface and all the new functionality. This quicktip covers two important bits that I think most Drupal contributors will want to take note of. Enable notifications If you're an active contributor, then you probably depend on the email notifications that have been sent out by drupal.org when an issue that you're involved in or following has an update. If you're expecting this to just work with Gitlab, you should probably be aware that by default , Gitlab notifications will be configured to be sent to a "no-reply.drupal.org" email address for your Drupal user account - in other words, you won't be getting any notifications. You can easily change this by visiting https://git.drupalcode.org/-/profile/notifications and changing your Global notification email : This page also has (much) more granular notification settings, but for most users

Your Website Will Be Attacked. Here's How We Make Sure You Survive It. John Locke Tue, 05/19/2026 - 09:00 The question used to be whether your website would face a serious security threat. That question has been answered. The question now is whether you'll be ready when it happens — and whether you can recover cleanly when something gets through. Sustainable/Open Business

• Read more about Your Website Will Be Attacked.

Read more

We are proud to share that the Drupal Association has been awarded a grant from the Alpha-Omega Project, a project of The Linux Foundation, which seeks to help open source projects identify and mitigate security vulnerabilities.

As AI-generated commits and AI-driven security threats become the norm, open-source ecosystems must evolve rapidly. This funding directly strengthens the already mature Drupal Security Team, ensuring our core ecosystem is hardened against the modern, AI-age vulnerabilities.

The funding provided by Alpha-Omega will enable the Drupal Security Team to build the program we need to stay ahead in this fast moving environment. Drupal’s already excellent security position will be even better going forward.

~ Tim Doyle, CEO at Drupal Association.

Security has been a defining pillar of the Drupal ecosystem. This collaboration with the Alpha-Omega Project underscores our ongoing commitment to open-source resilience, solidifying Drupal's position as the gold standard for secure enterprise content management.

Drupal is, and will continue to be, one of the most secure CMS platforms in the world.

Python has become central to AI systems, automation workflows and data processing, increasing demand for reliable integrations between Drupal and external developer ecosystems. In this contributed article, Drupal architect Vincenzo Gambino discusses the Python ports of Drupal API Client and Drupal JSON:API Params, explaining how cross-language tooling can help Drupal integrate more effectively with AI applications, headless architectures and modern development workflows.

Is your Drupal website silently accumulating security, performance, or scalability risks? Check out the essential Drupal maintenance best practices enterprises use to keep Drupal 11 websites secure and efficient.

The Rules Have Changed: Security in the Age of AI-Assisted Attacks John Locke Mon, 05/18/2026 - 19:00 Security is getting dramatically harder and more expensive. AI is simultaneously driving an explosion in vulnerability discovery and weaponizing the exploits that follow.

Read more

We're thrilled and thankful to announce that Upsun has completed the transfer of the DDEV trademarks to the DDEV Foundation.

The DDEV Foundation now owns the DDEV name outright, and DDEV's name and identity belong to its community.

A Long Story With a Happy Ending

When we were on the verge of losing the right to use the name "DDEV" several years ago, Platform.sh (now Upsun) stepped in to acquire and hold the trademark on the project's behalf. That act of generosity kept the project alive under its own name. Since then, as documented in our December 2025 post, Upsun had been in the process of transferring that trademark to the DDEV Foundation as the foundation matured into a stable home for the project.

That transfer is now complete.

What This Means

The DDEV Foundation is the independent, community-governed home for the DDEV project. With the trademark in the foundation's hands, DDEV's governance and identity are fully decoupled from any corporate sponsor.

This is exactly the kind of long-term resilience that open-source projects need to thrive across decades, not just years.

You can learn more about the foundation's structure, board, finances, and mission at ddev.com/foundation.

Thank You, Upsun

Upsun/Platform.sh has done so much for this project over the years:

Read more

Join us THURSDAY, May 21 at 1pm ET / 10am PT, for our regularly scheduled call to chat about all things Drupal and nonprofits. (Convert to your local time zone.)

We don't have anything specific on the agenda this month, so we'll have plenty of time to discuss anything that's on our minds at the intersection of Drupal and nonprofits. Got something specific you want to talk about? Feel free to share ahead of time in our collaborative Google document at https://nten.org/drupal/notes!

All nonprofit Drupal devs and users, regardless of experience level, are always welcome on this call.

This free call is sponsored by NTEN.org and open to everyone.

Information on joining the meeting can be found in our collaborative Google document.

Build a custom AI agent in Drupal Canvas to score news article engagement and suggest readability improvements.