Drupal is playing down estimates that more than 100,000 websites are still vulnerable to months-old critical security flaws in its content management system.

The developer said Thursday that reports from earlier this week claiming tens of thousands of sites were not patched with version 7.58, and thus were vulnerable to an attack dubbed Drupalgeddon 2 were based on bad info.

The number was floated by security researcher Troy Mursch, who based the estimate on a set of 500,000 sites he found using Drupal. The researcher said that of the 500,000 observed sites, 115,070 were found to be running an outdated version of Drupal 7 that would be vulnerable to the remote-code-execution hole discovered in April. An additional 134,447 sites were deemed to not be at risk, and 225,056 sites could not be diagnosed either way.