Update PHP - Drupal core - Minor and patch to ~11.3.5 #2342

coderabbitai · 2026-03-06T12:00:34Z

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Check for Drupal 11.3.5 release information on Packagist # Query Packagist API for drupal/core-recommended versions around 11.3.5 echo "=== Checking drupal/core-recommended package info ===" curl -s "https://repo.packagist.org/p2/drupal/core-recommended.json" | \ python3 -c " import sys, json data = json.load(sys.stdin) if 'packages' in data and 'drupal/core-recommended' in data['packages']: versions = data['packages']['drupal/core-recommended'] # Sort by version and show 11.3.x versions for pkg in sorted(versions, key=lambda x: x.get('version', ''), reverse=True)[:10]: version = pkg.get('version', '') if '11.3' in version: print(f\"Version: {version}, Release date: {pkg.get('time', 'N/A')}\") " echo -e "\n=== Checking drupal/core-composer-scaffold package info ===" curl -s "https://repo.packagist.org/p2/drupal/core-composer-scaffold.json" | \ python3 -c " import sys, json data = json.load(sys.stdin) if 'packages' in data and 'drupal/core-composer-scaffold' in data['packages']: versions = data['packages']['drupal/core-composer-scaffold'] # Sort by version and show 11.3.x versions for pkg in sorted(versions, key=lambda x: x.get('version', ''), reverse=True)[:10]: version = pkg.get('version', '') if '11.3' in version: print(f\"Version: {version}, Release date: {pkg.get('time', 'N/A')}\") "

Repository: drevops/vortex

Length of output: 172

🌐 Web query:

Drupal 11.3.5 release security advisories vulnerabilities

💡 Result:

As of March 6, 2026, Drupal core does not have a 11.3.5 release listed on Drupal.org—the latest Drupal 11.3.x core release shown is 11.3.2. [1]

Because there is no Drupal core 11.3.5, there are no Drupal core security advisories or CVEs specifically tied to “Drupal 11.3.5.” Core vulnerabilities are published as SA-CORE-YYYY-### advisories and each advisory lists its affected version ranges and the fixed versions to upgrade to. For example: SA-CORE-2025-005 (DoS / cache poisoning) affected up to 11.2.7 and was fixed in 11.2.8 (so it does not list 11.3.x as affected). [2] Another example, SA-CORE-2025-001 (XSS) affected up to 11.1.2 and was fixed in 11.1.3. [3]

If you meant a different project (e.g., a distribution like Open Social 11.3.5, not Drupal core), tell me which project’s 11.3.5 you’re referring to and I’ll map its release to the relevant advisories/CVEs.

Sources:
[1] Drupal core releases listing (shows latest 11.3.x as 11.3.2): (drupal.org)
[2] SA-CORE-2025-005 affected/fixed versions: (drupal.org)
[3] SA-CORE-2025-001 affected/fixed versions: (drupal.org)

Citations:

1: https://www.drupal.org/project/drupal/releases

2: https://www.drupal.org/sa-core-2025-005

3: https://www.drupal.org/sa-core-2025-001

🌐 Web query:

Drupal core 11.3.5 patch release notes changes

💡 Result:

As of March 6, 2026, there is no Drupal core 11.3.5 release published on Drupal.org; the latest 11.3.x patch release shown is 11.3.4 (released March 5, 2026). [1]

Drupal core 11.3.4 — patch release notes (changes)

Key items called out in the release notes: [2]

CKEditor 5 updated to 47.6.0, which includes an upstream security fix for an XSS issue in CKEditor’s General HTML Support feature; Drupal Security Team notes it’s not considered exploitable in Drupal’s built-in CKEditor 5 integration, but recommends reviewing the advisory if you have a custom CKEditor 5 implementation. [2]

Bugfixes and maintenance updates since 11.3.3, including (examples): modal pager “Last” links, entity title callback TypeError for unlabeled entities, “current user changed unexpectedly” fix, navigation accessibility improvements, HTMX behaviors on body swaps, various Claro/Olivero UI fixes, config/schema fixes, and other internal fixes. [2]

If you meant 11.3.4 and want the full change list, it’s under “All changes since 11.3.3” in the 11.3.4 release notes. [2]

Sources: [1] [2]

Correct version constraint to use Drupal 11.3.4, which does not exist as 11.3.5.

As of March 2026, Drupal 11.3.5 has not been released. The latest patch version in the 11.3.x series is 11.3.4 (released March 5, 2026). The version constraints in composer.json should be updated to ~11.3.4 for both drupal/core-composer-scaffold and drupal/core-recommended to point to an actual release.

11.3.4 includes important maintenance fixes and a CKEditor security update.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@composer.json` around lines 15 - 16, The composer.json currently pins drupal/core-composer-scaffold and drupal/core-recommended to "~11.3.5" which does not exist; update both version constraints to "~11.3.4" (replace "~11.3.5" with "~11.3.4" for the symbols drupal/core-composer-scaffold and drupal/core-recommended) and then run composer validate and composer update to ensure the lockfile and dependencies are consistent.

-Original file line number
+Diff line change
@@ Expand Up / @@ -12,8 +12,8 @@ @@
             "drupal/coffee": "^2.0.1",
             "drupal/config_split": "^2.0.2",
             "drupal/config_update": "^2@alpha",
-            "drupal/core-composer-scaffold": "~11.3.3",
-            "drupal/core-recommended": "~11.3.3",
+            "drupal/core-composer-scaffold": "~11.3.5",
+            "drupal/core-recommended": "~11.3.5",
             "drupal/environment_indicator": "^4.0.25",
             "drupal/migrate_plus": "^6.0.10",
             "drupal/migrate_tools": "^6.1.3",
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Update PHP - Drupal core - Minor and patch to ~11.3.5 #2342

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai bot Mar 6, 2026

Uh oh!

Uh oh!

Update PHP - Drupal core - Minor and patch to ~11.3.5 #2342

Are you sure you want to change the base?

Uh oh!

Update PHP - Drupal core - Minor and patch to ~11.3.5 #2342

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai bot Mar 6, 2026

Choose a reason for hiding this comment

Drupal core 11.3.4 — patch release notes (changes)

Uh oh!