Drupal core highly critical pre-patch warning — PSA-2026-05-18, patch window today 17:00-21:00 UTC; pre-auth, unauthenticated, full-site compromise; no CVE yet

On 2026-05-18 the Drupal Security Team published PSA-2026-05-18 reserving an emergency out-of-band release for today, 2026-05-20, 17:00–21:00 UTC. The pre-advisory scores the flaw 20/25 on Drupal's own published security scale — the second-highest tier — with Access Complexity "None" and Authentication "None", meaning exploitation is unauthenticated and requires no special conditions; the chained score sits below the theoretical 25/25 only because the Drupal Security Team rates the affected configuration as "Uncommon". CVE assignment and class are embargoed until release. Affected branches: 10.5.x, 10.6.x, 11.2.x, 11.3.x receive official patches; Drupal also reserved manual emergency patch files for EOL branches 8.9, 9.5, 10.4 (→ 10.4.9) and 11.1 (→ 11.1.9) — an unusual step that itself signals severity. Drupal 7 is not affected. The Security Team explicitly notes "exploits might be developed within hours or days". NCSC.ch's Security Hub corroborates the urgency, reiterating that "Successful exploitation could allow unauthenticated attackers to fully compromise affected Drupal installations". BSI WID-SEC-2026-1579 carries the same advance warning (BSI CERT-Bund).

Why it matters to us: Drupal is the dominant CMS for Swiss federal / cantonal / municipal portals, European Commission and EU-agency sites, universities, and public-sector NGOs. No technical mitigation exists pre-patch. Schedule the patch window now and monitor the Drupal Security Advisories feed for the CVE and patch links the moment they publish at 17:00 UTC.