Wednesday, Jan 16th, 2019
Security risk: 
Advisory ID: 
Third Party Libraries
Versions affected: 
  • Backdrop core versions prior to 1.12.1 and 1.11.5

Backdrop core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Backdrop configurations. Refer to CVE-2018-1000888 for details.

Another SA was released today, see also:


Upgrade your site to the most recent version of Backdrop core.  Download available on the Backdrop CMS 1.12.1 release page.  See the update instructions, if needed.

Reported By: 
Fixed By: 
Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive security announcements for core and contrib projects"