What's new since our earlier coverage: We previously reported on NGINX CVE-2026-42945 being under active attack. This post adds important nuance from security researcher Kevin Beaumont about real-world RCE risk, and covers the entirely separate Drupal emergency patch — announced May 19, 2026 — which represents a second urgent threat hitting website owners at the same time.
This week handed website administrators a double dose of urgency. Drupal — the CMS powering government sites, universities, media organizations, and countless small business portals — is pushing an emergency core security patch today, May 20. Meanwhile, NGINX, which underpins a massive share of the public internet's infrastructure, is already being actively exploited in the wild. If your website runs on either platform, this is the week to stop putting off that update.
Here's what's happening, what it means in plain language, and exactly what you need to do.
Part 1: Drupal's Emergency Core Update — Today Is the Day
What's Going On
The Hacker News reports that Drupal has announced it will release a "core security release" for all supported branches on May 20, 2026, between 5:00 and 9:00 p.m. UTC. The specific nature of the vulnerability has not been disclosed yet — that's standard practice ahead of a coordinated release — but the language Drupal's security team used in their advisory is unusually direct:
"The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days."
That's not boilerplate. When the maintainers of a platform this size say exploits could appear within hours, it means the underlying flaw is serious enough that the gap between the patch going public and attackers weaponizing it is expected to be very short.
Which Versions Are Affected?
Patches will be released for four currently supported branches:
- 11.3.x
- 11.2.x
- 10.6.x
- 10.5.x
If your site runs any of these versions, Security Affairs recommends updating to the latest patch release for your branch right now, before the security window opens. That way, any existing upgrade issues are out of the way and you can apply the security fix cleanly the moment it drops.
What About Older Versions?
Drupal is going a step further than usual by providing best-effort patch releases for two end-of-life minor versions: 11.1.x and 10.4.x.
- Sites on Drupal 11.1 or 11.0 should update to at least Drupal 11.1.9 before the patch window.
- Sites on Drupal 10.4, 10.3, 10.2, 10.1, or 10.0 should update to at least Drupal 10.4.9.
The plan is to get as close to a supported state as possible today, apply the security fix as soon as it lands, then plan a full upgrade to 11.3 or 10.6 shortly after.
The Hard Truth About Drupal 8 and 9
If your site is still running Drupal 8 or Drupal 9, you're in a tough spot. Manual patch files for Drupal 8.9 and 9.5 will be made available, but there's no guarantee they'll apply cleanly or that they won't introduce new problems. As Drupal's advisory states directly:
"We strongly recommend Drupal 8 or 9 sites update to at least Drupal 10.6 soon. Drupal 8 and 9 include numerous other, previously disclosed, security vulnerabilities that will not be addressed by either Drupal Steward or the best-effort patch files."
Running Drupal 8 or 9 in 2026 means carrying a growing backlog of unpatched vulnerabilities that today's emergency release simply won't touch. Today's patch is a fire alarm — but if you're on version 8 or 9, there are already other fires burning quietly in the background.
One bit of good news: Drupal 7 is not affected by this vulnerability.
Your Drupal Action Plan
- Right now: Update to the latest patch release for your supported branch (11.3.x, 11.2.x, 10.6.x, or 10.5.x).
- During the 5–9 p.m. UTC window on May 20: Apply the security update as soon as it drops. Check whether your specific configuration is affected — mitigation details will be included in the advisory.
- If you're on 11.1 or 10.4: Update to 11.1.9 or 10.4.9 now, apply today's fix, then plan your full upgrade.
- If you're on Drupal 8 or 9: Apply the manual patch files as a temporary measure, then treat an upgrade to 10.6 as a high-priority project — not a someday item.
Part 2: NGINX CVE-2026-42945 — Actively Being Exploited Right Now
What's Happening
While the Drupal situation is urgent but not yet exploited, the NGINX story is already past that point. Security Affairs reports that CVE-2026-42945 — a critical heap buffer overflow affecting both NGINX Plus and NGINX Open Source — is being actively exploited in the wild, just days after the vulnerability was publicly disclosed. VulnCheck confirmed active exploitation on its canary infrastructure.
The flaw, named NGINX Rift, carries a CVSS v4 score of 9.2 and lives in ngx_http_rewrite_module, a component included in every standard NGINX build. The vulnerability is triggered by a specific configuration pattern involving unnamed PCRE capture groups combined with rewrite directives — common enough that many real-world deployments could be affected without administrators realizing it.
How Bad Is the Remote Code Execution Risk, Really?
Here's where it gets nuanced, and the nuance matters. Security researcher Kevin Beaumont has noted that while CVE-2026-42945 is a real and valid vulnerability, full remote code execution is unlikely in most real-world environments. That's because modern Linux distributions enable ASLR (Address Space Layout Randomization) by default, which significantly raises the bar for exploiting a heap overflow into actual code execution. The public proof-of-concept exploit only works after manually disabling ASLR.
As Beaumont explained: "It relies on a specific Nginx config to be vulnerable, and for an attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box."
In other words: crashes and denial of service are very much on the table. Widespread, automated RCE attacks are less likely — but that doesn't mean you should wait. Active exploitation is confirmed, and "probably won't lead to full takeover" is cold comfort when your site is down.
Your NGINX Action Plan
- Patch immediately. Apply the available security update for NGINX Plus or NGINX Open Source for your branch.
- Audit your rewrite configurations. The vulnerability is triggered by a specific combination of rewrite directives with unnamed PCRE capture groups and question marks in replacement strings. If you're unsure whether your config is affected, this is worth a careful review or a conversation with your developer.
- Verify ASLR is enabled on your Linux servers (
cat /proc/sys/kernel/randomize_va_spaceshould return2). It should be on by default, but it's worth confirming. - Monitor for unusual traffic or crashes. Active exploitation is confirmed, so watch your logs.
The Bigger Picture for Yuba City Small Businesses
If you're a small business or organization running a website on Drupal or NGINX — and many do, even without realizing it, since NGINX is often hidden behind hosting control panels and CDNs — this is a week where platform updates can't be left on the backburner. The window between a patch release and active exploitation is collapsing. Security teams are now explicitly warning that exploits can appear within hours of a public advisory.
If you're not sure what version of Drupal or NGINX your website runs, or if you manage your own server and this is feeling overwhelming, our team at Computer Works is happy to take a look. Website security and platform management are things we deal with regularly, and sometimes a quick assessment is all it takes to know where you stand.
The most important thing is simply not to wait. Both of these issues are live, active, and moving fast.
Tags: Cybersecurity, Web Security, Vulnerability, Patch Management, Small Business IT
