Drupal Marks Two Contributed Projects Unsupported After Critical Advisories

Sites using the Composer project or the Brute force attack protection module should uninstall them after Drupal.org published two critical contributed-project advisories on 10 June 2026.

The advisories mark both projects unsupported because known security issues have not been fixed by their maintainers. Drupal.org lists all released versions of both projects as affected and does not provide patched releases.

The first advisory, SA-CONTRIB-2026-046, applies to the Composer project. Drupal.org assigned the issue CVE-2026-11914 and rated it Critical 16/25. The advisory states that it concerns a Drupal project that makes use of Composer, not the Composer dependency manager itself.

The second advisory, SA-CONTRIB-2026-047, applies to the Brute force attack protection project. Drupal.org assigned the issue CVE-2026-11915 and gave it the same Critical 16/25 risk rating.

Both advisories classify the vulnerability type as Unsupported. Drupal.org states that each project has a known security issue that remains unresolved, but the advisories do not publish technical exploit details or describe the affected code paths.

Drupal.org advises sites using either project to uninstall it. The advisories also link to Drupal’s process for taking over maintainership of a project that is unsupported for security reasons, leaving a possible path for future support if the security issue is fixed and maintainership is resolved.

Site administrators should check whether either project is present in their codebase before planning further action. Replacement decisions should be based on site-specific requirements because the advisories do not identify direct substitutes.