Drupal Release Notes

This is a patch (bugfix) release of Drupal 10 and is ready for use on production sites. Learn more about the latest version of Drupal.

Drupal 10.6.x will receive security support until December 2026. Drupal 10.5.x will continue to receive security support until June 2026.

Drupal 10.4.x security support has ended. Sites on any Drupal version prior to 10.5.x should upgrade to a supported release as soon as possible.

All changes since 10.6.5

• task: #3582512 Add SensitiveParameter attribute to CsrfTokenGenerator::validate()
• fix: #3576262 [random test failure] MediaSourceFileTest::testMediaFileSource
• task: #3582584 Add Andrei Mateescu as provisional general core committer
• fix: #3565033 Fix using numeric literals for 'version' in .info.yml files, cast to strings
• chore: #3581530 Update google/protobuf to >= 4.33.6
• fix: #3560719 Add [#NoDiscard] to AccessResult methods or make them chainable
• task: #3566051 Add darvanen as a maintainer of the Menu UI subsystem
• task: #3566048 Add darvanen as a maintainer of the Token subsystem
• fix: #3114887 Error responses are stored when using the Download migration process
• task: #3577400 Add godotislate as provisional release manager in MAINTAINERS.txt
• fix: #3567483 Update manager crashing admin panel with uncaught exceptions parsing version strings

Back to dev.

Release type

Bug fixes

This is a patch (bugfix) release of Drupal 11 and is ready for use on production sites. Learn more about the latest version of Drupal.

Drupal 11.3.x will receive security coverage until December 2026.

All changes since 11.3.5

• fix: #3571849 Media Library allows user to select more media than expected
• fix: #3582171 [PHP 8.5] Strengthen views data with entity types w/o data tables
• Revert "docs: #3576253 Improve navigation module description"
• docs: #3576253 Improve navigation module description
• test: #3579629 Add procedural hooks to test theme to test collection and invoking legacy hooks
• task: #3582512 Add SensitiveParameter attribute to CsrfTokenGenerator::validate()
• fix: #3576262 [random test failure] MediaSourceFileTest::testMediaFileSource
• fix: #3582125 Improve the deprecation message in getMigrationDependencies()
• chore: #3567589 Exempt 'system.modules_uninstall' route in UpdateHooks::pageTop()
• task: #3582584 Add Andrei Mateescu as provisional general core committer
• ci: #3581997 PHPStan is failing on 11.3.x
• fix: #3565033 Fix using numeric literals for 'version' in .info.yml files, cast to strings
• docs: #3576233 Correct documentation for ::getChangedTimeAcrossTranslations()
• chore: #3581530 Update google/protobuf to >= 4.33.6
• fix: #3578193 CommentTokensHooks passes NULL to UrlHelper::stripDangerousProtocols() when comment homepage is not set
• feat: #3086655 Add composer instructions to INSTALL.txt
• fix: #3569172 Weird language negotiation behavior inside getLanguageSwitchLinks leading to incorrect languages being used
• fix: #3575096 Remove callable type from BatchBuilder ::addOperation and ::setFinishCallback
• fix: #3560719 Add [#NoDiscard] to AccessResult methods or make them chainable
• fix: #3577001 LocaleConfigManager::updateConfigTranslations() unconditionally re-saves unchanged config overrides
• task: #3566051 Add darvanen as a maintainer of the Menu UI subsystem
• task: #3566048 Add darvanen as a maintainer of the Token subsystem
• fix: #3572039 Add dropdown list relies on buttons being input elements
• fix: #3572679 Prevent undefined array key warnings in AddToAllBundles
• fix: #3570209 ContentEntityStorageBase::setPersistentRevisionCache() merges cache tags from all revisions together
• fix: #3578289 Transliteration of € is EU, but should be EUR
• task: #3578745 Add maintainers of Admin theme to MAINTAINERS.txt
• fix: #3572050 plugin.manager.icon_extractor has incorrect service alias
• task: #3573464 Package Manager should warn, not error, about being enabled for early testing
• task: #3309169 hook_entity_create() should clearly state the entity is not yet stored
• fix: #3572171 Persist is_syncing across container rebuilds
• fix: #3572785 \Drupal\system\Controller\ThemeController::willInstallExperimentalTheme() prevents code from reaching the theme was not found errors
• perf: #3574198 TypedDataManager prototypes should not include the parent context
• task: #3578028 Update underscore.js to 1.13.8
• fix: #3560357 Taxonomy term ID from URL ViewsArgumentDefault plugin does not apply node cache tags when "Load filter from node page" is selected (follow-up)
• fix: #3576648 Skip automated cron on all CLI commands
• fix: #3564713 Search module fails to handle HTML tags with whitespace between tag name and attributes
• fix: #3114887 Error responses are stored when using the Download migration process
• task: #3577400 Add godotislate as provisional release manager in MAINTAINERS.txt
• chore: #3560876 NavigationUserBlock::buildLinks() doesn't check if the user could be loaded
• fix: #3564197 Package Manager should not restrict which packages can do scaffolding
• fix: #3572967 Renderer::executeInRenderContext() and BigPipe should also pass immediate as resume type
• docs: #3572051 hook_icon_pack_alter() is undocumented
• fix: #3560357 Taxonomy term ID from URL ViewsArgumentDefault plugin does not apply node cache tags when "Load filter from node page" is selected
• fix: #3567483 Update manager crashing admin panel with uncaught exceptions parsing version strings

Back to dev.

Release type:

Bug fixes

This is a patch (bugfix) release of Drupal 10 and is ready for use on production sites. Learn more about the latest version of Drupal.

Drupal 10.6.x will receive security support until December 2026. Drupal 10.5.x will continue to receive security support until June 2026.
Drupal 10.4.x security support has ended. Sites on any Drupal version prior to 10.5.x should upgrade to a supported release as soon as possible.

Important update information

CKEditor5 is updated to v47.6.0. This version includes a security update for a Cross-Site Scripting (XSS) vulnerability in the General HTML Support feature. The Drupal Security Team have reviewed the update and do not consider it to be exploitable in the built-in implementation of CKEditor5. If you have a custom implementation of CKEditor5 then we recommend reading the Security advisory for workarounds.
This release also fixes an incompatibility with the Pathauto contributed module that was present in Drupal 10.6.4.

All changes since 10.6.3

• Revert "fix: #3525391 Conditions plugin validation schema is wrong"
• fix: #3117430 file-link template should not always display file_size
• task: #3576995 Update CKEditor 5 to 47.6.0
• fix: #3525391 Conditions plugin validation schema is wrong
• fix: #3549107 Escape or strip control characters in JSON:API
• task: #3566050 Add cosmicdreams as a maintainer of the Settings Tray subsystem
• task: #3568888 Remove Wim Leers as maintainer for CKEditor 5, Editor, JSON:API, and REST
• task: #3572244 Add smustgrave as a maintainer of the Options subsystem
• task: #3566056 Add markconroy as a maintainer of the Markup subsystem
• task: #3568891 Add markconroy as a maintainer of the Settings Tray subsystem
• fix: #3570287 Use appropriate config schema for the Display comment (display_comment) property
• task: #3566057 Add mstrelan as a maintainer of the System (module) subsystem
• task: #3571815 Add amateescu as a maintainer of the Content Moderation subsystem
• task: #3566049 [patch to be ported] Add amateescu as a maintainer of the Workflows subsystem
• task: #3566052 Add dww as a maintainer of the Content Moderation subsystem

Back to dev.

Release type

• Bug fixes

This is a patch (bugfix) release of Drupal 11 and is ready for use on production sites. Learn more about the latest version of Drupal.

Drupal 11.3.x will receive security coverage until December 2026.

Important update information

CKEditor5 is updated to v47.6.0. This version includes a security update for a Cross-Site Scripting (XSS) vulnerability in the General HTML Support feature. The Drupal Security Team have reviewed the update and do not consider it to be exploitable in the built-in implementation of CKEditor5. If you have a custom implementation of CKEditor5 then we recommend reading the Security advisory for workarounds.
This release also fixes an incompatibility with the Pathauto contributed module that was present in Drupal 11.3.4.

All changes since 11.3.3

• Revert "fix: #3525391 Conditions plugin validation schema is wrong"
• fix: #3117430 file-link template should not always display file_size
• task: #3576995 Update CKEditor 5 to 47.6.0
• fix: #3572047 "Last" pager links inside a modal do not open in the modal
• fix: #3319212 Entities without labels cause TypeError in EntityController title callbacks
• fix: #3576074 Current user is changed unexpectedly (follow-up)
• fix: #3576074 Current user is changed unexpectedly
• fix: #3573953 LogicException in Renderer::render() still mentions renderPlain()
• fix: #3525391 Conditions plugin validation schema is wrong
• fix: #3439643 Improve how and what navigation block titles are communicating to screenreader users
• fix: #3558934 Fix styling of link autocomplete with long titles
• fix: #3560659 HTMX Drupal behaviors are not applied when swapped element is body
• fix: #3564735 Container / service exceptions while installed from existing config
• fix: #3575066 Olivero mobile close button not properly placed against top nav bar
• fix: #3562072 Menu link content export with dependencies doesn't include parent menu link entity.
• task: #3572169 Put the mobile sidebar close button into the TAB sequence
• fix: #3565020 Set the Drupal\views\ViewsData::$fullyLoaded property to TRUE only when the data is really loaded.
• task: #3566050 Add cosmicdreams as a maintainer of the Settings Tray subsystem
• fix: #1894286 System updates are executed without priority
• task: #3568888 Remove Wim Leers as maintainer for CKEditor 5, Editor, JSON:API, and REST
• task: #3572244 Add smustgrave as a maintainer of the Options subsystem
• fix: #2722307 Move translation based conditions into database query on revisions overview page
• docs: #3552759 Fix more incorrect phpdoc type hints (part 1)
• fix: #3554220 Claro's libraries don't enforce the variables.css dependency
• fix: #3568566 Olivero's secondary menus inoperable when authenticated & BigPipe present
• fix: #3572084 Dotfiles cannot be ignored cia *.starterkit.yml file
• fix: #3569751 Workspace AJAX query parameters become arrays when form elements have pre-existing token/persist values
• task: #3566056 Add markconroy as a maintainer of the Markup subsystem
• task: #3568891 Add markconroy as a maintainer of the Settings Tray subsystem
• fix: #3567159 Fix "expects array" issues detected by phpstan
• fix: #3572527 \Drupal\DrupalInstalled::VERSIONS_HASH is not consistent for the same set of packages
• fix: #3570287 Use appropriate config schema for the Display comment (display_comment) property
• fix: #3566280 Color contrast issues on the field listings page
• task: #3566057 Add mstrelan as a maintainer of the System (module) subsystem
• task: #3571815 Add amateescu as a maintainer of the Content Moderation subsystem
• fix: #3565886 Navigation module throws an error on missing URL
• fix: #3545132 Datelist element has nondeterministic timezone
• docs: #3118569 Add an example of a semver contrib module number to the update hook example for hook_removed_post_updates()
• docs: #3565566 Document return type for RfcLogLevel::getLevels()
• task: #3566052 Add dww as a maintainer of the Content Moderation subsystem

Back to dev.

Release type

Bug fixes

Release notes

This is a patch (bugfix) release of Drupal 10 and is ready for use on production sites. Learn more about the latest version of Drupal.
Drupal 10.6.x will receive security support until December 2026. Drupal 10.5.x will continue to receive security support until June 2026.
Drupal 10.4.x security support has ended. Sites on any Drupal version prior to 10.5.x should upgrade to a supported release as soon as possible.

All changes since 10.6.2

• task: #3566054 Add heddn as a maintainer of the Image subsystem
• task: #3566053 Add heddn as a maintainer of the Authentication and Authorization subsystem
• test: #3571492 Several tests fail on PHP 8.1 on 10.6.x because of requirements issues
• fix: #3463524 editor_post_update_sanitize_image_upload_settings fails on missing text format
• Reapply "task: #3571196 Update symfony/process constraint"
• task: #3570133 PHPUnit security update
• Revert "task: #3571196 Update symfony/process constraint"
• task: #3571196 Update symfony/process constraint
• docs: #3532469 Documentation mentions Drupal being fully "repaired"
• task: #3569877 Add PHP 8.4 and 8.5 end of life dates to PhpRequirements
• docs: #3559209 cache contexts should use list everywhere
• task: #3566060 Add smustgrave as a maintainer of the Menu UI subsystem
• task: #3566058 Add penyaskito as a maintainer of the Content Translation subsystem
• task: #3566059 Add penyaskito as a maintainer of the Language subsystem
• fix: #3561800 Using \Drupal\Core\Database\Query\Insert::from() on postgres on a table with a serial field can result in duplicate key error
• fix: #3327662 Deleting the system.site:page.front config results in a PHP deprecation
• fix: #3539508 form-data: Usage of unsafe random function
• fix: #3450792 Only set #group is status field exists in NodeForm
• fix: #3389633 SwitchShortcutSet form does not set access on machine name element
• test: #3520036 [random test failure] CKEditor5MarkupTest
• fix: #3550787 [random test failure] CKEditor5Test::testLanguageOfPartsPlugin
• fix: #3419203 ckeditor5_post_update_code_block() throws an error for format using CKE5 but with CKE4 settings
• fix: #3468180 Undefined array key "view_mode" in block_content_theme_suggestions_block_alter
• fix: #3566429 Update to 10.6.0 fails due to nodejs version incompatibility

Back to dev.

Release type

Bug fixes

This is a patch (bugfix) release of Drupal 11 and is ready for use on production sites. Learn more about the latest version of Drupal.
Drupal 11.3.x will receive security coverage until December 2026.

All changes since 11.3.2

• task: #3566054 Add heddn as a maintainer of the Image subsystem
• task: #3566053 Add heddn as a maintainer of the Authentication and Authorization subsystem
• task: #3566049 Add amateescu as a maintainer of the Workflows subsystem
• test: #3571492 Several tests fail on PHP 8.1 on 10.6.x because of requirements issues
• fix: #3463524 editor_post_update_sanitize_image_upload_settings fails on missing text format
• Reapply "task: #3571196 Update symfony/process constraint"
• task: #3570133 PHPUnit security update
• Revert "task: #3571196 Update symfony/process constraint"
• task: #3571196 Update symfony/process constraint
• fix: #3567770 Media Library message persists after deselecting items to fix overflow
• docs: #3532469 Documentation mentions Drupal being fully "repaired"
• fix: #3566568 The short description for the \Drupal\user\AccountForm class is not correct
• fix: #3569778 Fix link in \Drupal\Tests\package_manager\Kernel\TestSandboxManager::__sleep doc
• fix: #3564510 TypeError: Drupal\Core\Utility\ThemeRegistry::getGlobalPreprocess(): Return value must be of type array
• fix: #3570220 RoleSettingsForm::submitForm() should not load config overrides
• fix: #3570219 BlockListBuilder::submitForm() should not load config overrides
• fix: #3565213 Adjust contextual CSS for navigation module reset CSS
• fix: #3568141 Try to avoid style recalculation in Olivero's isDesktopNav
• fix: #3564880 BigPipe placeholders with identical IDs are not all replaced
• docs: #3563727 Fix PHPStan missingType.generics for \ArrayIterator not specifying its types
• feat: #3535230 Reverted revision is not listed on the version history when using Set as current revision
• Revert "feat: #3535230 Reverted revision is not listed on the version history when using Set as current revision"
• feat: #3535230 Reverted revision is not listed on the version history when using Set as current revision
• feat: #3556794 preprocess_HOOK__candidates in themes can be assigned to module invoke maps
• docs: #3559209 cache contexts should use list everywhere
• task: #3566060 Add smustgrave as a maintainer of the Menu UI subsystem
• task: #3566058 Add penyaskito as a maintainer of the Content Translation subsystem
• task: #3566059 Add penyaskito as a maintainer of the Language subsystem
• fix: #3561800 Using \Drupal\Core\Database\Query\Insert::from() on postgres on a table with a serial field can result in duplicate key error
• fix: #3327662 Deleting the system.site:page.front config results in a PHP deprecation
• task: #3564264 Fix concrete typehinting of EntityTypeManager
• task: #3567983 Avoid unnecessary style recalculation from Olivero search
• task: #3449874 Update to jQuery 4.0.0
• fix: #3562759 ContentEntityBase::hasTranslationChanges() must use loadRevisionUnchanged()
• fix: #3552984 MigrateTestBase::display() causes a TypeError if a test fails a migration
• fix: #3532360 Check return value from getCurrentRequest() before calling setRequest() in ViewExecutableFactory
• fix: #3450792 Only set #group is status field exists in NodeForm
• fix: #3560093 $target_url in ViewAjaxController::ajaxView can be NULL
• fix: #3389633 SwitchShortcutSet form does not set access on machine name element
• fix: #3567086 Alias case sensitivity after the removal of the preload cache
• Revert "fix: #3516264 CKEditor 5 loads all plugin translations on AJAX operations"
• test: #3520036 [random test failure] CKEditor5MarkupTest
• task: #3563647 Remove unneeded patterns from deprecation-ignore.txt
• fix: #3401726 MediaLibraryUiBuilder service does not properly allow additional contextual filter arguments
• Revert "fix: #3560202 UserCreationTrait::create* methods can never return false"
• fix: #3560202 UserCreationTrait::create* methods can never return false
• fix: #3550787 [random test failure] CKEditor5Test::testLanguageOfPartsPlugin
• fix: #3566844 [random test failure] MediaTest::testTranslationAlt
• fix: #3566845 [random test failure] ImageTest::testLinkability
• fix: #3549107 Escape or strip control characters in JSON:API
• fix: #3505182 An entity without a label causes an uncaught exception for the navigation:title component
• fix: #1522154 Saving non-default revisions shouldn't trigger a search reindex
• fix: #3526908 Fix issues with ConfigEntityValidationTestBase
• fix: #3557014 PageDisplayVariant does not transmit cache metadata
• task: #3556936 Outdated todo in EarlyRenderingControllerWrapperSubscriber
• fix: #3061838 Email element does not have default #ajax event
• task: #3557840 Remove @legacy-covers in cases where the test method name starts with the covered method
• task: #3562214 Upgrade glob because of CVE-2025-64756
• fix: #3565703 block_content post update fails if views module is disabled
• fix: #3566261 [regression] custom field twig for second comment fields has null value in comment after 11.3.0 upgrade
• fix: #3565937 Workaround PHP bug with fibers and __get()
• fix: #3387013 Check LinkItemInterface::isEmpty() before validating
• task: #2620330 Move ContainerDerivativeDiscoveryDecoratorTest::testGetDefinitions() to DerivativeDiscoveryDecoratorTest
• task: #2436209 Test ContentEntityBase constructor called with multilanguage values
• task: #3308418 Improve more error messages on unrouted URLs
• fix: #3552531 Unsupported operand types: array + null when calling field_formatter_third_party_settings_form hook
• fix: #3152281 Extra field blocks render even when empty
  Back to dev.

Release type

• Bug fixes

This is a patch (bugfix) release of Drupal 10 and is ready for use on production sites. Learn more about the latest version of Drupal.
Drupal 10.6.x will receive security support until December 2026. Drupal 10.5.x will continue to receive security support until June 2026.
Drupal 10.4.x security support has ended. Sites on any Drupal version prior to 10.5.x should upgrade to a supported release as soon as possible.

All changes since 10.6.1

task: #3565943 [backport] [security hardening] Update composer to 2.9.3
task: #3557585 [backport to 11.2, 10.6, and 10.5] Update to Composer 2.9.2
fix: #3565218 [random test failure] ResponsiveImageFieldUiTest::testResponsiveImageFormatterUi()
fix: #3551373 [random test failure] ManageDisplayTest testFormatterUI() and testWidgetUI()

Back to dev.

Release type

Bug fixes

This is a patch (bugfix) release of Drupal 11 and is ready for use on production sites. Learn more about the latest version of Drupal.
Drupal 11.3.x will receive security coverage until December 2026.

All changes since 11.3.1

• performance: #3566156 APCu FileCache can consume a ton of memory due to caching procedural hook data since Drupal 11.1
• feat: #3563812 Top bar CSS does not set text colour
• task: #3565943 [security hardening] Update composer to 2.9.3
• fix: #2339921 Undefined variable: groups in \Drupal\views\Plugin\views\filter\FilterPluginBase::groupForm
• Revert "fix: #2339921 Undefined variable: groups in \Drupal\views\Plugin\views\filter\FilterPluginBase::groupForm"
• perf: #3559030 Installing from existing config causes massive cache.config population and slow installs
• fix: #3516264 CKEditor 5 loads all plugin translations on AJAX operations
• fix: #3542774 The “reduce motion” setting in the operating system should be respected
• fix: #3564548 update_post_update_fix_update_emails() can fail on invalid config
• fix: #2339921 Undefined variable: groups in \Drupal\views\Plugin\views\filter\FilterPluginBase::groupForm
• fix: #3565218 [random test failure] ResponsiveImageFieldUiTest::testResponsiveImageFormatterUi()
• fix: #3564926 Fix the documentation for SystemAdminMenuBlockAccessCheck::access() first parameter
• fix: #3560690 Functional update tests consistently fail on mysqli
• task: #3562159 Make it easier to run test-only job against different PHP / DB combinations
• fix: #3562676 Fix type hints with wrong case in @param and @return annotations
• fix: #3553342 Race condition in LocalTaskManager::getLocalTasks() with fibers
• fix: #3555152 Move skip_procedural_hook_scan cleanup to HookCollectorKeyValueWritePass
• fix: #3551373 [random test failure] ManageDisplayTest testFormatterUI() and testWidgetUI()
• fix: #3557585 Update to Composer 2.9.2

Back to dev.

Release type

Bug fixes

Important update information

This update fixes two critical bugs in the Comment and History modules that were present in Drupal 11.3.0.
There are no other changes. For all other information about Drupal 11.3, see the Drupal 11.3.0 release notes.

All changes since Drupal 11.3.0

• fix: #3562753 History module triggers ServiceNotFoundException for comment.manager when Comment module is not enabled
• fix: #3563876 TypeError: trigger_error(): Argument #2 () must be of type int, string given in trigger_error()

Release type

• Bug fixes

Read the Drupal 11.3.0 release announcement for improvements and highlights in this release.
This minor release provides improvements and new functionality. It does not break backward compatibility (BC) for public APIs. There may be changes in internal APIs and experimental modules. If so, contributed and custom modules and themes may need updating. This is according to Drupal core's backward compatibility and experimental module policies.
This release may include string changes and additions. Translators can review the latest translation status on localize.drupal.org.
Drupal 11.3.x will receive security support until December 2026. Drupal 11.2.x will continue to receive security support until June 2026.
Drupal 11 will be supported until the release of Drupal 13.

Drupal 10.6.x Maintenance Minor Release Notes

This is a maintenance minor release of Drupal 10 and is ready for use on production sites. Maintenance minors are recommended for sites that prefer the minimum changes between releases. Learn more about the Drupal core release cycle.

This maintenance minor provides the best forward-compatibility with Drupal 11. It includes important dependency updates and API additions. It does not break backward compatibility (BC) for public APIs. This is according to Drupal core's backward compatibility and experimental module policies.

Drupal 10.6.x will receive security support until December 2026. Drupal 10.5.x will continue to receive security support until June 2026.

Drupal 10.4.x security support has ended. Sites on any Drupal version prior to 10.5.x should upgrade to a supported release as soon as possible.

Sites on 10.6 upgrading to Drupal 11 must upgrade to 11.3.0 or higher.

Important update information

This update adds an additional dependency on doctrine/lexer that was accidentally missed from Drupal 10.6.0.
There are no other changes. For all other information about Drupal 10.6, see the Drupal 10.6.0 release notes.

All changes since Drupal 10.6.0

• feat: #3563642 Drupal 10.6 incompatible with doctrine/lexer 3

Release type

• Bug fixes