Planet Drupal

Views is one of the most important modules in Drupal. After the field system, it is the tool you reach for most often as a site builder. You use it to build content listings, create blocks, power admin screens, and feed components into Drupal Canvas.

In the video above, you’ll learn how to build a Views page, customize fields with image styles and rewrite tokens, expose filters and sorts, configure pagers and infinite scroll, expose a view block as a Canvas component, and create a backend admin page.

LocalGov Drupal Camp 2026

LocalGov Drupal Camp 2026 was held on 11th and 12th June in the city of Sheffield in the north of England. I drove over the Pennines from my home in Cheshire to attend the camp for the two days.

LocalGov Drupal, in case you weren't aware, is a Drupal distribution that is set up in a way that makes it easy for councils to publish their content. Since it's built on Drupal the sites can also make use of the many Drupal modules available. There are also lots of additional LocalGov Drupal modules that integrate with waste collection systems, bus timetables, election results, and many more.

Last year, LocalGov Drupal was being used by 57 council websites across the UK. This year, that figure has jumped to 73! A fantastic achievement, with that number only set to get bigger.

The camp itself consisted of a Wednesday night social night, a day of talks and other sessions, followed by a day of workshops and sprints.

Wednesday Night

The social on Wednesday night was held at the National Videogame Museum in Sheffield city centre. On entry we got a couple of free drinks, and there was plenty of pizza to go around (perhaps too much pizza!).

This was amazing venue to have a social! After spending a while catching up and chatting with lots people we went into the museum itself and played some games for a while. 4 player Pacman and Ultimate Chicken Horse were particular favourites from the evening.

philipnorton42 Sun, 06/21/2026 - 18:49

Artificial Intelligence has dramatically changed the way content is created. Tasks that once required hours of research and writing can now be completed in minutes. Blog posts, product descriptions, FAQs, summaries, social media content, and even long-form articles can be generated using AI-powered tools with just a few prompts.

Inherited Drupal sites often leave teams with scattered checks, uncertain configuration, and limited visibility beyond the repository. Robert Menetray Caballero built DruScan from freelance audit scripts into a contributed module and optional dashboard that reviews configuration, logs, module updates, code quality, security-related signals, and score history. The tool’s privacy boundary is central: detailed reports remain inside the local Drupal environment, while DruScan receives only the data needed for cross-site monitoring, keeping it as an oversight aid rather than a replacement for Drupal judgement.

Search Across Multiple Drupal Sites with Pantheon SOLR Joel Steidl Thu, 06/18/2026 - 13:34 Drupal

Search feels like a solved problem. Until you're managing a network of Drupal sites and your users expect to find content regardless of which one it lives on, that is. At that point, the question stops being "how do we add search?" and starts being "how do we build a unified search experience across an entire digital ecosystem?"

The obvious workaround is to bring in a third-party Solr provider. That works, but it means another vendor, another bill, and another service to monitor and secure. For organizations already invested in Pantheon's managed infrastructure, it further fragments the operational footprint rather than simplifying it.

At Aten, this challenge comes up regularly with clients running multi-site Drupal architectures on Pantheon. The solution we've landed on keeps everything within the platform, using four contributed modules working together as a hub-and-spoke proxy. This post walks through the architecture, why it exists, and how to implement it.

Read more

B2C eCommerce usually gets all the attention, because that’s what most people engage with. They buy stuff from Amazon, Etsy, or a Shopify store without thinking too much about it. The customer comes to the website and makes a purchase. Usually, there is a portal to track the order and some transactional emails for updates, and finally, the package is delivered to their door. If they bought from a company that has its act together, they might spend the next 3-6 months being remarketed to because the company really wants to make this customer a repeat customer. 

But this B2C eCommerce experience, while ubiquitous and recognizable to most, is only scratching the surface.

The scale of B2B commerce is actually much larger than its B2C cousin. The global B2B eCommerce market is expected to reach roughly $37 trillion in 2026, approximately six times the size of the global B2C market. Yet despite that enormous footprint, B2B digital commerce remains far less mature than its B2C counterpart. Software that serves the latter doesn’t work for the former. The differences between B2B and B2C commerce run deep, from how deals get made to how orders get shipped to how platforms are architected. Different customers. Different requirements. Different expectations. To add further complications, businesses increasingly need to operate in both worlds simultaneously. 

Read more

Just two months after the milestone release of Drupal AI 1.3.0, we are thrilled to announce that Drupal AI 1.4.0 is officially here!

With the 1.x branch reaching a high level of maturity and stability, we are excited to transition into a more predictable, bi-monthly minor release cadence. Moving forward, the Drupal community can look forward to a steady, reliable stream of improvements, new integrations, and expanded platform capabilities.

Drupal AI 1.4.0 represents a major evolutionary step, focusing heavily on extensibility, scalability, normalization, and preparing the broader ecosystem for the next generation of AI-powered digital experiences.

Let's dive into what's new in this release.

1. A Highly Extensible AI Ecosystem for Developers

One of our primary themes for 1.4.0 is giving contributed module developers the tools they need to extend and enrich Drupal AI. We want to make extending this module as seamless as writing a simple prompt.

Markdown Editor Extensibility

Contrib modules can now extend the markdown editor experience directly. The newly available Document Loader integration, for example, allows content creators to load content from virtually any document type directly into their editor workflow.

This architectural improvement opens the door for the community to build richer editor experiences and provider-specific tooling without requiring any modifications to Drupal AI core.

New "Skills" and Drush Generate Commands

To radically accelerate development speed and reduce boilerplate code, we are introducing both AI "skills" and drush generate commands that allow developers to rapidly generate:

Read more

Markdown has become a practical drafting format for Drupal teams working across notes apps, code editors, documentation systems, and AI-assisted writing tools. Jorge Tutor’s CKEditor5 Markdown module addresses the handoff into Drupal by converting pasted Markdown through an explicit editor dialog, then letting CKEditor5 enforce the active text format’s HTML rules. In written responses to The DropTimes, Tutor framed the module as a narrow fix for teams that want Markdown during drafting but not as the stored or rendered content format.

DrupalCon Rotterdam is one of those events that naturally attracts attention across the Drupal ecosystem. Not only because it brings the community together, but because it creates a space where technology, strategy, contribution and real-world digital projects meet.

For anyone working with Drupal, open source or digital experience platforms, the question is not just “what happens at DrupalCon?”, but it might be: “If you have never been before, why should this be the year to go?”

 

Image

            Photo by Joris Vercammen 

Why Rotterdam?

Rotterdam feels like a strong fit for an event like DrupalCon. It is a city known for innovation, architecture, international connections and a forward-looking mindset — qualities that align naturally with the spirit of the Drupal community.

Bringing DrupalCon to Rotterdam creates an opportunity to connect the European Drupal community in a dynamic and accessible setting. It also gives professionals from different markets the chance to meet, exchange perspectives and discuss how Drupal continues to evolve in a fast-changing digital landscape.

Learning from real experience

One of the strongest reasons to attend DrupalCon is the quality of the knowledge shared by the community.

Read more

Project: Drupal coreDate: 2026-June-17Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Improper validationAffected versions: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.*CVE IDs: CVE-2026-55808Description: 

The JSON:API and REST modules allow you to upload image files to image fields.

The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image.

Certain web-server configurations may serve the uploaded file with its actual MIME type rather than an image type. This may lead to cross-site scripting (XSS) or other unexpected behavior.

Solution: 

Install the latest version:

Drupal 11

• If you use Drupal 11.3.x, update to Drupal 11.3.12.
• If you use Drupal 11.2.x, update to Drupal 11.2.14.

Drupal 10

Read more

Project: Drupal coreDate: 2026-June-17Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Server-side request forgeryAffected versions: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.*CVE IDs: CVE-2026-55807Description: 

The Media module comes with support for oEmbed. The oEmbed specification contains two discovery mechanisms, via providers.json and via URL discovery.

The URL discovery code could be leveraged to trick Drupal into making server-side requests to any URL.

Solution: 

Install the latest version:

Drupal 11

• If you use Drupal 11.3.x, update to Drupal 11.3.12.
• If you use Drupal 11.2.x, update to Drupal 11.2.14.

Drupal 10

Read more

Project: Drupal coreDate: 2026-June-17Security risk: Less critical 9 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: Cache poisoning and open redirectAffected versions: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.*CVE IDs: CVE-2026-55806Description: 

Drupal core ships a rebuild.php front controller that can be used to rebuild Drupal (clearing the caches and rebuilding the container) when the site is in an unexpected condition.

This script doesn't correctly check the Host header against the list of trusted host patterns. This could result in cache poisoning or a redirect to an attacker-controlled domain.

Solution: 

Install the latest version:

Drupal 11

• If you use Drupal 11.3.x, update to Drupal 11.3.12.
• If you use Drupal 11.2.x, update to Drupal 11.2.14.

Drupal 10

Read more

Project: Drupal coreDate: 2026-June-17Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Gadget chainAffected versions: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.*CVE IDs: CVE-2026-55804Description: 

Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application deserializes untrusted data due to another vulnerability.

This issue is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize().

Solution: 

Install the latest version:

Drupal 11

• If you use Drupal 11.3.x, update to Drupal 11.3.12.
• If you use Drupal 11.2.x, update to Drupal 11.2.14.

Drupal 10

Read more

Project: Drupal coreDate: 2026-June-17Security risk: Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: PHP object injectionAffected versions: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.*CVE IDs: CVE-2026-55803Description: 

SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web services.

The above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain rare circumstances, potentially resulting in PHP Object Injection.

This vulnerability is mitigated by the fact that in order to be exploitable:

• A site must use an entity reference field type that stores a serialized property.
• An attacker must have permission to write to the entity via JSON:API.

No field type shipped with Drupal core meets these criteria, and contributed or user-created field types that do appear to be extremely unusual. This update protects all such fields; no changes are required in contributed modules.

Read more

QED42 has opened a waitlist for EventHorizon, a Drupal-focused code-intelligence suite built on the scanning engine behind its open-source EventHorizon CLI. The CLI runs static analysis locally without AI, cloud upload, or telemetry, addressing audit environments where client code is covered by NDAs, data residency clauses, and security review. The broader suite adds visual dependency maps, code health views, and optional AI through user-controlled provider keys.

Cypress is ideal for testing Drupal content moderation, but the learning curve is rather steep. Well, with the cypress-json-tests package, you can be done within a couple of hours.

The Drupal marketplace is driving a shift toward high-quality, accessible, and easily maintainable templates tailored for specific industry verticals (like government, healthcare, and education).

Good news for everyone still polishing their entry, we've extended the submission deadline for the International Splash Awards 2026 by four weeks. You now have until 16 July 2026 to submit your project.

As part of our commitment to a fair process, we want to give every Drupal community and agency ample time to put their best work forward. So we're opening the doors wider rather than closing them.

The Splash Awards celebrate the very best Drupal projects from around the world, with winners announced at DrupalCon Rotterdam 2026 (28 September – 1 October). Submitters will be notified of their status in early August.

Learn more & submit your project

Questions? Email drupal@kuonitumlare.com or reach us in #drupalcon_europe on Drupal Slack.

Image

What an exciting time to be a developer. Over the past year, I've gradually begun adopting a number of AI tools to improve the quality of my work, be more efficient, and even dive into areas of development I had never been strong in.

The days of reading blog posts and tutorials or trying code challenges are over. Or are they?

I subscribe to a handful of technical newsletters which arrive in my inbox every week. I always look forward to learning about the new stuff, improvements to old stuff, or the exciting features or tools coming down the development pipeline. I read each one of them in their entirety and if I am too busy, I keep them in my inbox until I have the time to go through them. Sometimes this means I have two issues to read through because I have not been able to get the previous one. I never delete them until I am done with them.

Why waste my time when I can easily ask AI for help? The learning process is exciting for me, it always has been. In the AI era it might even be more important because what if AI is wrong? How do I know the code snippet I am provided is correct or won't cause regressions in my project? Maybe this is the reason I don't use front-end frameworks like Bootstrap or Tailwind in my projects. I have used them for prototyping, but never to dictate the direction or coding conventions in my project.

Let's take a look at a basic example that may seem trivial but could lead to major issues if not understood. Then we will dive into the real reason I decided to write this post.

Read more

An opportunity to help Web standards move in a good direction

Drupal now ships with HTMX, and there is currently a proposal to add a few of the building blocks into the HTML specification. The effort is nicknamed the triptych and the goal is to add three new HTML features: 

theodore June 17, 2026