drupal 11.2.4

This is a patch (bugfix) release of Drupal 11 and is ready for use on production sites. Learn more about the latest version of Drupal.

Drupal 11.2.x will receive security coverage until June 2026.

Important update information

• CKEditor5 is updated from v45.2.0 to v45.2.2 to fix a Cross-Site Scripting (XSS) vulnerability that does not directly effect Drupal core. If your site enables the HTML embed plugin or has a custom plugin that uses an editable element which implements view RawElement is enabled then you should update immediately. See the v45.2.2 release notes for details.

All changes since 11.2.3

• Issue #3544581 by catch, longwave, godotislate: Update to CKEditor5 v45.2.2
• Issue #3253897 by mohit_aghera, oily, joakland, smustgrave, lendude: Regression: "Display the file download URI" on related file entity shows relative path
• Issue #3536999 by chesn0k, niklan: Drupal\comment\Controller\CommentController::getReplyForm() never returns a response object
• Issue #3215368 by xjm, smustgrave, ghost of drupal past, valthebald, andypost: Use a more standard transliteration for Cyrillic щ
• Issue #3440399 by prudloff, akalata, larowlan, longwave, smustgrave, mrszymon, greggles, berdir: Malicious fingerprinting of visitors via role name on content translation screen
• Issue #3540554 by tstoeckler: Functional tests attempting to release locks for a no-longer existing site throws an exception
• Issue #3532792 by nicrodgers, greg.harvey: avif error - Could not encode image: No codec available
• Issue #3530456 by nexusnovaz, karimb, nicxvan, aubjr_drupal, longwave: Indicate that hook_post_update_NAME() hooks do not run at installation time
• Issue #3351597 by acbramley, smustgrave, catch: [random test failure] Drupal\Tests\ckeditor5\FunctionalJavascript\MediaLibraryTest
• Issue #3539366 by dimitriskr, andypost, godotislate: Default DB transaction isolation set to read-committed breaks InstallerIsolationLevelExistingSettingsTest test
• Issue #3540886 by immaculatexavier, nod_, gábor hojtsy: Update to jQuery 4 RC1
• Issue #3541487 by alexpott: Fix EntityQueryTest on SQLite and Postgres
• Issue #3538854 by dww, driskell, andypost, godotislate: APCu requirement for 32MB always displays since APCu 5.1.25
• Issue #3453692 by nhojivar7, agunjan085, joachim, isa.bel, xdequinze: hook_entity_reference_selection_alter() is undocumented
• Issue #3539530 by neerajsingh, joachim, nicxvan: VersionHistoryController should document its soft expectations
• Issue #3486481 by mxr576, berdir: Recipe install command prints out to stdout and not error, but RecipeTestTrait::applyRecipe() only prints out error output
• Issue #3540528 by andypost, jacktonkin: Clean-up deprecated non-standard cast names
• Issue #3541053 by andypost: Fix deprecated curl_close() for PHP 8.5
• Issue #3540525 by andypost: Remove remaining usage of setAccessible()
• Issue #3540646 by andypost, penyaskito: Fix deprecated readdir() without argument for PHP 8.5
• Issue #3539501 by danrod, tanushree gupta, mstrelan, bramdriesen: Remove duplicate GenericTest in system.module
• Issue #3540305 by phenaproxima, thejimbirch: The addComponentToLayout config action should support adding multiple components
• Issue #3534278 by phenaproxima, longwave, xjm, catch: The vendor hardening plugin should provide a way to skip cleaning certain packages
• Issue #2950869 by amateescu, alexpott, fabianx, lucassc, abhishek-anand, pavlosdan, ravi.shankar, adam.weingarten, timmy_cos, rassoni, bryanmanalo, pooja saraah, _pratik_, enrocean167, matsbla, berdir, catch, wim leers, yakoub, neclimdul, dixon_, camoa, daffie, effulgentsia, mariancalinro, mheip, nicobot, krzysztof domański: Entity queries querying the latest revision very slow with lots of revisions
• Issue #3537396 by jesseh, borisson_: Removed function block_themes_installed() is still referenced in comments
• Issue #3537282 by xjm, divyansh.gupta, griffynh, tedbow, smustgrave: Remove tedbow as maintainer for Settings Tray subsystem
• Back to dev.