Wednesday, Sep 30th, 2020
Security risk: 
Moderately Critical
Advisory ID: 
Cross Site Scripting
Versions affected: 
  • Backdrop Core 1.17.x versions prior to 1.17.1
  • Backdrop Core 1.16.x versions prior to 1.16.4

Backdrop versions 1.15 and prior do not receive security coverage.


Backdrop core's built-in CKEditor image caption functionality is vulnerable to XSS.

This SA is equivalent to Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010


Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.17.1 release page. See the update instructions, if needed.

Reported By: 
Fixed By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive security announcements for core and contrib projects"