Security update: Drupal 8 & Drupal 9

Written by Mark Enrega on Friday, August 13, 2021

Drupal has released a moderately critical security update for Drupal 8 and Drupal 9. This security update (version 8.9.18, 9.1.12 or 9.2.4) fixes a vulnerability that has been identified by the Drupal security team.

The Drupal project uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.

Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.

For more information, see CKEditor's announcement of the release.


The latest versions of Drupal (version 8.9.18 or 9.1.12 or 9.2.4) will mitigate the vulnerability. All Drupal websites should be updated to the latest version of Drupal.


All Drupal websites that are hosted with Enrega will be updated by our support team. For more information about the update process, please see our security updates for your website page.

If you have a shared hosting account with CMS support, your website you will receive an email which will notify you when your website will be updated. If you have a custom website that is not in shared hosting, or if you do not have CMS support, please get in touch with us to book a time to have the update done for you.