Drupal News

Join us THURSDAY, May 21 at 1pm ET / 10am PT, for our regularly scheduled call to chat about all things Drupal and nonprofits. (Convert to your local time zone.)

We don't have anything specific on the agenda this month, so we'll have plenty of time to discuss anything that's on our minds at the intersection of Drupal and nonprofits. Got something specific you want to talk about? Feel free to share ahead of time in our collaborative Google document at https://nten.org/drupal/notes!

All nonprofit Drupal devs and users, regardless of experience level, are always welcome on this call.

This free call is sponsored by NTEN.org and open to everyone.

Information on joining the meeting can be found in our collaborative Google document.

Build a custom AI agent in Drupal Canvas to score news article engagement and suggest readability improvements.

There will be a Drupal core security release for all supported branches on May 20, 2026, between 17:00 and 21:00 UTC. (To see this in your local timezone, refer to the Drupal Core Calendar.) The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days.

The risk is currently rated as:
Highly critical 20 ∕ 25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon.

Not all configurations are affected. Reserve time on May 20 during the release window to determine whether your sites are affected and in need of an immediate update. Mitigation information will be included in the advisory.

We recommend updating to the latest supported patch (bugfix) release for your site's version of Drupal before May 20, so that you can address any other upgrade issues before the security window. (Recommendations for specific Drupal versions follow.)

This issue is being protected by Drupal Steward. Sites that use Drupal Steward are already protected from known attack vectors, but should upgrade in the near future in case additional attack vectors are discovered.

Security releases will be provided for all the currently supported branches of Drupal core, which are:

• 11.3.x
• 11.2.x
• 10.6.x
• 10.5.x

Sites on one of these supported versions should update to the latest patch release for the given branch now in preparation for the security window.

While the Drupal Security Team does not normally provide security releases for unsupported releases, given the severity of the issue, we are providing 11.1.x and 10.4.x releases that include the fix for sites which have not yet had a chance to update. Therefore, in advance of the window:

• Sites on Drupal 11.1 or 11.0 should update to at least Drupal 11.1.9.
• Sites on Drupal 10.4, 10.3, 10.2, 10.1, or 10.0 should update to at least Drupal 10.4.9.

These sites should apply the security update as soon as it is released on May 20, then plan to update to Drupal 11.3 or 10.6 in the near future. (Two other recent security advisories, SA-CORE-2026-001 and SA-CORE-2026-002, will not be addressed for 11.1 or 10.4.)

These major versions are fully end-of-life, so no releases will be created for these branches. However, given the potential severity of this issue, we will provide patch files for Drupal 8.9 and 9.5.

These patches must be applied manually. They are not guaranteed to work correctly, and might introduce other bugs or regressions. However, they may help mitigate the vulnerability for sites still on these old major versions until they upgrade to a supported release.

For the best chance of the patches being applied successfully:

• Sites on any version of Drupal 9 should update to Drupal 9.5.11.
• Sites on any version of Drupal 8 should update to Drupal 8.9.20\.

We strongly recommend Drupal 8 or 9 sites update to at least Drupal 10.6 soon. Drupal 8 and 9 include numerous other, previously disclosed security vulnerabilities that will not be addressed by either Drupal Steward or the best-effort patch files.

Drupal 7 is not affected.

Neither the Security Team nor any other party is able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.drupal.org/security, on Bluesky, Mastodon, X (formerly Twitter), and LinkedIn, and in email for those who have subscribed to our email list. To subscribe to the email list: log in on Drupal.org, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.

Security release announcements will appear on the Drupal.org security advisory page which also has RSS feeds.

• Benji Fisher (benjifisher) of the Drupal Security Team
• catch (catch) of the Drupal Security Team
• cilefen (cilefen) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Neil Drumm (drumm) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Tim Hestenes Lehnen (hestenet)
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Today we are talking about The Open Web, What it means, and Why it's important with guest Alex Moreno. We'll also cover AI Schema.org JSON-LD as our module of the week.

For show notes visit: https://www.talkingDrupal.com/553

• Defining the Open Web
• Drupal in a Bubble
• Marketing and PR Challenges
• AI Bias Against Drupal
• Why AI Won't Recommend Drupal
• Is Drupal AI Native
• Marketing Against Giants
• Local Evangelism Push
• Funding Outreach Trips
• Drupal CMS PR Gap
• Templates Lower Barriers
• Need a Drupal Onramp
• Speaking Beyond Drupal
• Web Summit Lessons
• Sell Problems Not Drupal
• Rethinking DrupalCon
• Camps and New Audiences
• Marketplace Ecosystem Idea
• Wrap Up and Contacts

• Drupalcamp Grenoble 2026 - Bursting the bubble
• Drupal Iberia keynote
• Schema dot org
• Drupal is Great! Its Perception Might Not be
• TD Cafe - Caching

Alex Moreno - alexmoreno

Nic Laflin - nLighteneddevelopment.com nicxvan John Picozzi - epam.com johnpicozzi Bernardo Martinez - bernardm28

Jacob Rockowitz - jrockowitz.com jrockowitz

• Brief description:
  • The AI Schema.org JSON-LD module provides a straightforward way to send a prompt — including a webpage's content and data, along with instructions and requirements — to an AI provider and receive a response containing valid Schema.org JSON-LD for saving and embedding in a webpage. It's a "glue module" that combines AI Automators, Field Widget Actions, and JSON Field to create an AI-powered Schema.org JSON-LD field for content entities.
• Module name/project name:
  • AI Schema.org JSON-LD
• Brief history
  • How old: Created in April 2026 by jrockowitz (Jacob Rockowitz) of The Big Blue House
  • Versions available: 1.0.0-alpha1 (requires Drupal ^11.3); 1.0.x-dev branch also available
• Maintainership
  • Actively maintained Yes — updated as recently as April 30, 2026
  • Security coverage No — not currently covered by Drupal's security advisory policy; use at your own risk
  • Test coverage The module notes that all contributed code must include test coverage, though it is early alpha
  • Documentation Yes — the project page includes setup instructions, implementation guidance, philosophy, and a 2-minute demo video on YouTube
  • Number of open issues: 0 open issues, 0 of which are bugs against the current branch
• Usage stats:
  • 1 site currently reporting use of this module
• Module features and usage
  • Adds a native JSON "Schema.org JSON-LD" field to content entities (nodes, media, taxonomy terms)
  • Field is populated via an AI automator triggered by a Field Widget Action, keeping a human in the review loop before saving
  • Stores Schema.org JSON-LD as native JSON data, creating a fully queryable knowledge graph for the site
  • Works with complex nested content structures (paragraphs, components) by having AI parse and generate the structured data
  • Includes an optional sub-module for logging prompts and AI responses for human and AI review and iterative improvement
  • Configurable per entity type/bundle via UI, Drush, or Drupal recipe
  • Philosophy: "Use AI to build a tool that helps AI understand your website while always keeping a human in the loop"
  • Built using AI coding agents (Claude and Codex), with community contributions encouraged — especially around crafting and sharing optimal prompts

Among last week’s more closely watched Drupal business developments was a new initiative from Acquia that directs 2% of eligible partner-driven transactions to the Drupal Association. The contribution is built into Acquia’s updated partner programme and funded by the company itself, meaning partner incentives and customer pricing remain unchanged.

What drew attention across the community was not simply the contribution percentage, but the way the programme has been structured. Drupal funding conversations have often returned to the same pressure points around sponsorship cycles, institutional support, and long-term maintenance responsibilities. Acquia’s framing moves that discussion toward routine commercial activity rather than a separate community-facing commitment.

Both James Sims and Dries Buytaert described the initiative in terms of continuity and alignment rather than philanthropy. Their comments pointed to the same underlying argument: if commercial Drupal activity continues to scale, support structures around the project may also need models that scale more predictably alongside it.

Whether similar approaches emerge elsewhere remains uncertain. For years, much of Drupal’s organisational support has depended on periodic sponsorships and voluntary reinvestment. Acquia’s model, in contrast, ties funding directly to ongoing commercial activity, introducing a level of predictability that community funding discussions have often lacked.

With that said, here’s what else The Drop Times covered across the Drupal community last week.

• Nick Opris Develops Daily Digest for Drupal AI Initiative Activity
• Apex AI 2.0 Expands Drupal AI Integration With Multi-Provider Orchestration
• Drupal AI Context CCC Beta 2 Expands Governed AI Workflow Capabilities
• UI Suite Monthly #35 Highlights Translation Support, Core APIs, and AI-Assisted Display Building
• Display Builder for Drupal Adds Component-Driven Entity Display Management

• Acquia Launches Fair Trade Initiative Linking Partner Revenue to Drupal Association Funding

• Drupal Community Mourns the Loss of Alanna Burke

• Dominique De Cooman Proposes Athena Milestone for Drupal AI Initiative

• Drupal Community Invited to Participate in The DropTimes Townhall Discussions
• DrupalSouth Announces 2026 Splash Awards Winners
• Centarro Webinar to Examine Drupal Commerce Performance Bottlenecks
• LocalGov Drupal Camp 2026 to Focus on AI Governance, Open Standards and Council Collaboration
• Montréal Drupal Meetup to Feature AI Governance and Drupal 11 Integration Demo
• Acquia Engage London 2026 Set for 18–19 May

Additional developments from across the Drupal ecosystem were published during the week. Readers can follow The Drop Times on LinkedIn, Twitter, Bluesky, and Facebook for ongoing updates. The publication is also active on Drupal Slack in the #thedroptimes channel.

Kazima Abbas
Sub-editor
The Drop Times