Drupal Critical Release on April 25, 2018

Last Updated: 06/01/2018

Security Notice Level


Drupal will release an emergency security update on April 25, 2018, between 10 a.m. and 12 p.m. (noon). They are not releasing any information about this vulnerability until after the announcement is made. The IT Security Office recommends upgrading shortly after the patch is release as exploits may be developed within hours.

CU Boulder’s www.colorado.edu and sites on the Web Express service will be updating shortly after the patch is released.

Affected Software

Drupal core 7.x, 8.4.x, and 8.5.x


Upgrade to the most recent version of Drupal 7 or 8 core.

Security Advisory Name

Drupal 7 and 8 core critical release on April 25th, 2018 PSA-2018-003

Additional Information

Additional information about this vulnerability can be viewed at:


If you have any questions, please contact the IT Service Center at 303-735-4357 (or 5-HELP from an on-campus phone) or help@colorado.edu.

Important definitions for this notice:
Urgent: severity represents a broad threat to the entire campus community including remotely exploitable administrator or root type attacks.
Severe: severity includes worms & web or email based exploits.
Important: severity includes viruses and local exploits for commonly used services.