When does Drupal reach end-of-life?

The latest supported Drupal release is 11.3.11. After end-of-life a release no longer receives security patches.

Drupal ↗

Drupal · CMS

100/100 Healthy

Summary iPlain-English security verdict for Drupal, generated from its current health score, actively-exploited vulnerabilities, and latest supported version.

Drupal currently scores 100/100 — healthy. 8 actively-exploited vulnerabilities (CISA KEV) affect older releases (e.g. CVE-2018-7600) — staying on the latest supported version keeps you clear of them. The latest supported release is 11.3.11. It's on the latest patch with no significant known issues — keep it current.

Disclosure trend iNew CVEs published for Drupal each year (NVD). A higher bar means more disclosures that year — more scrutiny, not necessarily less safe.

'19

'20

'21

'22

'23

'24

'25

'26

⚠ 2 of its known vulnerabilities are linked to ransomware campaigns (CISA KEV).

Patch priority — what to act on iThe issues to fix first — actively exploited (CISA KEV) first, then by exploitation probability (EPSS), then severity. Each row's "→ fixed in" is the earliest version that patches it; "see advisory" means no fixed version is published.

Most urgent first — actively exploited, then likeliest to be exploited.

CVE-2018-7600 CRITICAL ● exploited ⚠ ransomware Improper input validation EPSS 94% → fixed in 8.5.1 CVE-2019-6340 HIGH ● exploited Insecure deserialization EPSS 94% → fixed in 8.6.10 CVE-2018-7602 CRITICAL ● exploited ⚠ ransomware Code injection EPSS 94% → fixed in 8.5.3 CVE-2020-28949 HIGH ● exploited EPSS 93% → fixed in 9.0.9 CVE-2020-36193 HIGH ● exploited Path traversal EPSS 71% → fixed in 9.1.3 CVE-2020-11023 MEDIUM ● exploited Cross-site scripting (XSS) EPSS 34% → fixed in 8.8.6 CVE-2026-9082 CRITICAL ● exploited SQL injection EPSS 10% → fixed in 11.3.10 CVE-2020-13671 HIGH ● exploited Unrestricted file upload EPSS 5% → fixed in 9.0.8 CVE-2014-3704 HIGH SQL injection EPSS 94% → fixed in 7.32 CVE-2024-45440 MEDIUM Information disclosure EPSS 87% → see advisory CVE-2005-1921 HIGH Code injection EPSS 86% → fixed in 4.6.2 CVE-2016-5385 HIGH CWE-601 EPSS 81% → fixed in 8.1.7

Versions & lifecycle iWhen each release line stops receiving security patches (end-of-life). After EOL there are no more fixes — plan upgrades before these dates.

How long each Drupal release line is supported — and when it sunsets.

11.3 latest 11.3.11 Supported until 2026-12-16

10.6 latest 10.6.10 Supported until 2026-12-16

11.2 latest 11.2.13 Supported until 2026-06-17

10.5 latest 10.5.11 Supported until 2026-06-17

10.4 latest 10.4.10 End of life ended 2025-12-10

11.1 latest 11.1.10 End of life ended 2025-12-10

11.0 latest 11.0.13 End of life ended 2025-06-16

10.3 latest 10.3.14 End of life ended 2025-06-16

10.2 latest 10.2.12 End of life ended 2024-12-17

10.1 latest 10.1.8 End of life ended 2024-06-20

See all upcoming end-of-life dates →