drupal 11.1.9 | Drupal.org

This is a non-production site

- Drupal Core Drupal CMS puts the power of Drupal into the hands of marketers, designers and content creators
- Drupal CMS Drupal CMS puts the power of Drupal into the hands of marketers, designers and content creators
- Drupal AI Open limitless possibilities with Drupal AI
- Case Studies Powerful stories that show Drupal solutions in the real world
- Drupal for Government Drupal is the open-source CMS that enables digital transformation of government and increases citizen engagement
- Drupal for Higher Education See why 70% of the world's leading universities chose Drupal
- Drupal for Nonprofit See why Drupal is the open-source CMS choice for some of the world’s most influential nonprofits
- Drupal for eCommerce Natively integrate content and commerce
- Drupal for FinTech Secure and trustworthy FinTech infrastructure
- Drupal for Healthcare Drupal powers systems that are secure, patient-centric and engaging
- Drupal for Media & Publishing Create engaging multi-channel experiences to connect with your audiences - everywhere
- Download Drupal Download Drupal and the extensions you need
- Documentation Full knowledgebase including Drupal 7 resources
- Getting Started Guide to installing Drupal on a server
- Local Development Guide Guide to installing Drupal locally with Docker and DDEV
- Developer Resources Step-by-step guide for learning Drupal
- Drupal User Guide Learn to build with Drupal
- API Complete documentation of Drupal Core APIs
- Modules Extend your project's functionality
- Themes Change your project's look and feel
- Distributions Jumpstart your project with a pre-configured install
- Issues Queue Report issues and contribute improvements
- Security Advisories Stay on top of the latest security alerts and updates
- Find a Drupal Certified Partner Connect with the best Drupal agencies around the world
- Become an Drupal Certified Partner Join an elite network of agencies committed to Drupal excellence and innovation
- Find a Hosting Provider Find a hosting provider for your Drupal project
- Find a Migration Partner Get help with your migration to the latest version of Drupal
- Find Training Upskill your Drupal team
- Drupal Steward Ensure your website is protected with Drupal Steward
- About the Community Come for the code, stay for the community
- How to Contribute Get involved in growing and evolving Drupal
- DrupalCon DrupalCon unites experts from around the globe who create ambitious digital experiences. Network, learn, and be inspired
- Events Discover local events, meet-ups, and training
- Jobs / Careers Find opportunities to work in Drupal
- News & Blogs News and stories about Drupal
- Forum Got a question about Drupal? Find answers on the Drupal forums
- Slack Get support and communicate with the global Drupal community
- Newsletters Sign up for Drupal news and manage your subscriptions
- Drupal Swag Shop Get your Drupal branded merch!
- The Drupal Association Learn how we support Drupal's growth and innovation - and how you can help
- Become a Member Become a Ripplemaker and support the Drupal Association
- Become a Drupal Certified Partner Join an elite network of agencies committed to Drupal excellence and innovation
- Donate Make a donation to the nonprofit that supports Drupal
- Log in
- Create account
- Try Drupal CMS
- Try hosting

Posted by xjm on November 12, 2025 at 11:28pm

This is a security release of the Drupal 11 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

Important update information

SA-CORE-2025-005 removes a feature of an underlying library where request attributes can be manipulated. It is possible that some sites are actually relying on this feature. In this case, the behavior can be replicated by implementing a custom stack middleware to alter the incoming request.
Symfony Framework released CVE-2025-64500 today. Drupal core does not expose this vulnerability.

Drupal 11.1 has Symfony 7.2 as minimum version, which is no longer supported by Symfony as of this month (November 2025). Since Drupal is not affected by the Symfony security vulnerability, we are not raising the minimum Symfony version for Drupal 11.1. Sites can update to Symfony 7.3 via Composer if needed, or update to Drupal 11.2. Sites should also aim to update to Drupal 11.2 or higher before Drupal 11.1 reaches its end-of-life in December.

Which release do I choose? Security coverage information

Drupal 11.1.x will receive security coverage until December 2025 when Drupal 11.3.0 is released and sites should plan to update to Drupal 11.2 or higher by December 2025.
Sites on Drupal 11.2.x should update immediately to Drupal 11.2.8.
Sites on Drupal 10.5.x should update immediately to Drupal 10.5.6.
Sites on Drupal 10.4.x should update immediately to Drupal 10.4.9.
Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage.

Other changes in this release

Additional test-only fixes are included in the release:

Issue #3539331 by dww, godotislate, nicxvan: Incorrect warning for system requirements for APCu memory
Issue #3539366 by dimitriskr, andypost, godotislate: Default DB transaction isolation set to read-committed breaks InstallerIsolationLevelExistingSettingsTest test

VCS Label

11.1.9

Release type

Security update

Short description

Receives security coverage until December 2025 when Drupal 11.3.0 is released.

Packaged Git sha1

5d83fa7b4b4eda5971085af5d5ff00811016376a

Release files