Wednesday, Apr 25th, 2018
Security risk: 
Advisory ID: 
Remote Code Execution
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.9.5

A remote code execution vulnerability exists within multiple subsystems of Backdrop. This potentially allows attackers to exploit multiple attack vectors on a Backdrop site, which could result in the site being compromised. This vulnerability is related to Backdrop core - Highly Critical - Remote Code Execution - BACKDROP-SA-CORE-2018-002. While BACKDROP-SA-CORE-2018-002 is being exploited in the wild, this vulnerability is not known to be in active exploitation as of this release.


Upgrade your site to the most recent version of Backdrop core.  Download available on the Backdrop CMS 1.9.5 release page.  See the update instructions, if needed.

  • If you are running 1.9.x, upgrade to Backdrop  1.9.5. (If you are unable to update immediately, you may apply the patch to fix the vulnerability until such time as you are able to completely update.)
  • If you are running 1.8.x, upgrade to Backdrop 1.8.4. (While Backdrop 1.8.x is no longer supported, and we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we are providing a releases for 1.8 that include this fix.)

This patch will only work if your site already has the fix from SA-CORE-2018-002 applied. (If your site does not have that fix, it may already be compromised.)

Reported By: 
Fixed By: 
Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive security announcements for core and contrib projects"