Blog

ExpressionEngine Security Update Details: What’s the Risk? Should I Update to EE 7.5.20?

By Travis Smith, February 26, 2026
Image of a lock with a key on top of a keyboard with black text that reads
Photo from Unsplash by Sasun Bughdaryan
Logos are trademarks of their respective owners and are used here for informational purposes only.

ExpressionEngine today released an update to fix a security vulnerability they categorized as “high risk.”

TL;DR

They recommend that all EECMS sites upgrade immediately to the latest version of EE.

We agree.

We have examined the relevant code. This is not an over-cautious recommendation. This is an important security vulnerability that should be addressed immediately by all sites running EECMS to protect your site’s integrity.

The Release

The main developer of EE, Packet Tide, released version 7.5.20 today.
Here is the Change Log for EE 7.5.20

They have not publicly disclosed any technical details of the exploit or the risk, which is standard practice for active vulnerabilities.

The Risk

We are not going to share more details in public than Packet Tide has. However, we have reviewed all the code in the security fix releases.

Based on our review, we believe this is a “high risk” technology security issue, which generally indicates the vulnerability could allow:

  • Unauthorized access
  • Data exposure
  • Privilege escalation
  • System compromise

We believe this issue could be present in many, perhaps even all, standard EE sites, and that it could exist in many prior versions of EE.

Should You Upgrade?

Yes.

If your site is actively maintained and on EE 6 or 7, this should be a straightforward task.

If you are running an older version of EECMS, it can still be rather simple. If you are running EE 4 or above, there is a one-click updater that still works just fine.

And the latest version of ExpressionEngine will upgrade any EE site as far back as EE 2.0.

Complicating factors would include updating or replacing third-party add-ons or custom PHP code. Older sites might also be running on older servers running older versions of PHP, which would make the upgrade process trickier.

Security Comparison

Overall, we remain confident in ExpressionEngine’s security profile. Compared to other content management systems, the EE CMS has historically had far fewer security releases and smaller scope vulnerabilities.

One measure of this is CVE reports. Looking at CVEDetails.com, you can see that ExpressionEngine has had 2 CVEs in the past two years and only 15 CVEs all-time, going back 22 years to 2004.

WordPress has had 14 CVE reports in the past two years and 362 or 419 CVEs overall in a similar time period.

Drupal has had 36 CVE reports in the past two years and 271 or 510 CVEs overall in a similar time period.

Craft CMS has had 13 CVE reports in the past two years and 78 CVEs overall in a similar time period.

It is not simply EE’s smaller marketshare that explains these vastly varying scores. Other small CMSs also have more significant and frequent security issues. I included Craft CMS not to single it out, but because it is a typical comparison. Craft CMS has 400% more CVEs than EE, and it has been around 10 years less—50% less time—than EECMS.

We believe this record is achieved because of the culture of the ExpressionEngine community and the different priorities of the stewards of its code.

Overall Advice

We remain impressed with the EE platform. We like the calibre of the community, the quality of the documentation, and the new features and fixes they steadily unroll. They release new builds every 4-6 weeks and continue to impress us with their stability and their approach.

No CMS is immune to vulnerabilities. What matters is responsiveness, patch cadence, and architectural discipline. ExpressionEngine continues to perform well in those areas.

Outdated CMS software is one of the most common entry points for hacker attacks—issues at the stack level are usually less common and more regularly patched. This high-severity issue is a demonstration of how quickly vulnerabilities can emerge, and why regular CMS updates are important for both security and performance. Websites that are kept up-to-date regularly are easier to update when there is a sudden urgency—and are also more pleasant to use on a regular basis.

Need Help?

We want the entire EE community secure and stable.

As one of the many services we provide to our clients, we keep you regularly informed about topics like this – though usually with less urgency. Learn more about our Client Care Program

If you would like an instant assessment of your site’s upgrade path, we are happy to chat with you at no cost. Use our contact form to get in touch.

  • Recent Blog Posts

    1. Dynamically Enhance Your Content with Hop Inject
      April 6, 2026
    2. Launching a New Travel Site for Good Soul Sailing
      March 23, 2026
    3. Why Keeping ExpressionEngine Updated Matters: 7 Problems Avoided, 7 Benefits Gained
      March 2, 2026
    4. ExpressionEngine Security Update Details: What’s the Risk? Should I Update to EE 7.5.20?
      February 26, 2026
    5. How We Upgraded a Family of ExpressionEngine Travel Sites
      February 16, 2026

  • Blog Categories

    1. What Would Hop Do
    2. Client Showcase
    3. Featured

  • Archive

Have a Project for Us?

Request a Proposal