Download Drupal 9.4.5

Version 9.4.5 of Drupal has been released. Drupal is a PHP-written, user-friendly and powerful content management platform, which can be used to create websites, for example. It is simple enough for a novice user, but powerful enough to build a more complex website as well. Drupal contains a content management platform and a development framework. In version 9.4, among other things, the Olivero theme is now used as the default for a new install and the Claro theme is the new default for the backend. In version 9.4.5, a security vulnerability in CKEditor has been fixed:

Release notes

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. The CKEditor 5 experimental module is being developed for Drupal 10 WYSIWYG editing and depends on the third-party CKEditor 5 JavaScript library. CKEditor has issued a security advisory for CKEditor 5:

• CVE-2022-31175: Cross-site scripting (XSS) caused by the editor instance destroying process

Drupal core is only known to be vulnerable when the full HTML format is used with CKEditor within QuickEdit, and the exploit only affects the user who inserts a JavaScript payload. Since full HTML already allows writing JavaScript that can contain cross-site scripting (XSS) payloads, we are treating this update as a public security hardening.

CKEditor 4 is not affected, so sites where only the stable CKEditor module is enabled (with the CKEditor 5 experimental module uninstalled) will not be impacted and do not urgently need to update to this release. Drupal 9.4.x will receive security coverage until June 2023.