In the content management system (CMS) Drupal gape several, partly classified as “critical” vulnerabilities. Bug-fix versions are available. Since attackers could gain control of websites, the swift update of the CMS should be ensured. Developers have closed the vulnerabilities in Drupal 7.60, 8.5.8, and 8.6.2 issues. Those using older versions should at least upgrade to 8.5.x. According to the developers, this release will receive security updates until May 2019. The security alert contains information about the gaps. The vulnerabilities classified as critical can be found in the Contextual Links Validation module and in the DefaultMailSystem :: mail () mail system from Drupal. Currently, not much is known about the attack scenarios. Obviously, only the dispatch of prepared mails can lead to the execution of malicious code.