Drupal installations could be out of date and open to attack thanks to a borked update process that flags unpatched platforms as current.

The popular content management system is used by more than a million sites making it a significant target for hackers.

Indeed, in October 2014 attackers took mere hours to compromise untold piles of sites whose admins had failed to apply a patch against a dangerous SQL injection flaw.

Drupal at the time went as far as to proclaim all unpatched sites are considered compromised unless patches were immediately applied.