Today is one of those days when website owners had better not have their maintenance team on vacation. Several widely used open-source projects are releasing security updates simultaneously – and some of them are serious.
Drupal: highest severity level
The CMS Drupal has announced a security update rated "Highly Critical" for today – the highest severity level Drupal assigns. According to the official advance notice, the update is scheduled for all supported Drupal versions between 17:00 and 21:00 UTC. Not all configurations are affected – but anyone running or maintaining a Drupal website should make sure someone is available today to apply the update promptly.
Symfony & Twig: the biggest security patches in project history
At the same time, Fabien Potencier, founder of the PHP framework Symfony, announced early today on Bluesky:
„During the last few weeks, the #Symfony core team has been hard at work fixing a long list of vulnerabilities for both #Symfony and #Twig. Today, we're publishing that work in the biggest security patch releases ever."
— Fabien Potencier on Bluesky, May 20, 2026
Symfony is not only relevant for developers directly, but also serves as the technical foundation of the CMS Sulu – making an update there highly likely. TYPO3 and Contao also use parts of Symfony; whether they are affected by the specific vulnerabilities is currently unclear. Admins of these systems should keep a close eye on the official channels of their respective projects today.
Why acting fast matters more than ever
There used to be an unwritten rule that a few days would pass after a security patch was released before the first attacks followed. Those days are over. Even Drupal's security team warns in its announcement that exploits could be developed within hours or days. Modern AI tools make this a reality today: published patches can be automatically analyzed in a short time and turned into working attack tools. The window between patch release and first exploit has shrunk dramatically.
What to do now
No need to panic – but this is a time for vigilance. Anyone maintaining their own website should actively monitor update announcements from the projects they use today. Anyone who has outsourced maintenance to an agency or service provider should check in to confirm that the responsible parties are informed and that updates will be applied today.
Security updates are not a bureaucratic chore – they are the most important line of defense for any website. And their effectiveness depends entirely on how quickly they are deployed.
Supported by