Wednesday, Sep 16th, 2020
Security risk: 
Moderately Critical
Advisory ID: 
Cross Site Scripting
Versions affected: 
  • Backdrop Core 1.16.x versions prior to 1.16.4
  • Backdrop Core 1.17.x versions prior to 1.17.1

Backdrop versions 1.15 and prior do not receive security coverage.


There will be a security release of Backdrop 1.17.x, and 1.16.x on Sept 30th, 2020 between 19:00 - 23:00 UTC. Security release announcements will appear here, on the Backdrop security page.  This release will not require a database update.

This security release will be a complimentary release to the Drupal security releases SA-CORE-2020-007 and SA-CORE-2020-010 issued on September 16th.

Because Backdrop issued its regularly scheduled minor release on September 15th, and based on the severity of these issues, the Backdrop Security Team has agreed to postpone this security release for two weeks. 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive security announcements for core and contrib projects"