21 May 2026

feedSymfony Blog

Claude Mythos Audited Symfony and Found 19 Vulnerabilities

Claude Mythos Preview is a new general-purpose AI language model by Anthropic. This model performs strongly across the board, but it is especially strong at computer security tasks. This model is not publicly available yet, but Anthropic is making it available…

21 May 2026 7:25am GMT

feedDrupal.org aggregator

PreviousNext: Keywords to Context: Semantic Search and Retrieval-Augmented Generation with OpenSearch

Keyword search struggles with natural language and exploratory questions. Daniel walked the DrupalSouth 2026 audience through how OpenSearch and Skpr enable semantic search that understands intent and meaning, and how Retrieval-Augmented Generation (RAG) transforms results into clear, human-friendly answers grounded in your actual content.

by daniel.veza /

21 May 2026 3:00am GMT

PreviousNext: PreviousNext wins four Splash Awards and a third consecutive Best in Show at DrupalSouth Wellington 2026

Last week, the PreviousNext team headed over to Wellington for DrupalSouth 2026, and what a week it was.

by ana.beltran /

The highlight of the week was the Splash Awards - and this year, we are honoured to have won:

  • Best in Government with Cancer Australia for the GovCMS PaaS project we did in collaboration with Paper Moose
  • Best in Show with Cancer Australia
  • Community People's Choice Award - Adam Bramley (jointly awarded to Nicole Ritchie)
  • Hall of Fame - Lee Rowlands

Congratulations to Lee and Adam! Both deserved the recognition for their active work with the Drupal Community.

The Best in Show win for Cancer Australia makes this a remarkable run. PreviousNext has now won Best in Show three times back to back. Here's the full picture:

Adam Bramley and Daniel Veza receiving the Splash Award for Cancer Australia
Photo credit: Karl Hepworth - https://www.flickr.com/people/200855369@N08/ License: ShareAlike 2.0 https://creativecommons.org/licenses/by-sa/2.0/deed.en

Wellington was also a milestone for Skpr's, which officially launched in the New Zealand market at DrupalSouth. If you haven't seen or heard about Skpr yet, now is a good time!

From there, it was all about the Drupal community. We spent the week reconnecting with familiar faces, meeting new ones, and having the kinds of conversations that don't happen over email.

We had six PreviousNext team members take the stage this year:

We were also thrilled to have Lara Saunders from Bond University join us at DrupalSouth this year. It's always great to see clients engage with the broader Drupal community.

We're incredibly proud of the team - and grateful to the clients and community who make this kind of recognition possible. See you all next year on the Gold Coast!

Group photo at DrupalSouth 2026 Wellington
Photo credit: Karl Hepworth - https://www.flickr.com/people/200855369@N08/ License: ShareAlike 2.0 https://creativecommons.org/licenses/by-sa/2.0/deed.en

21 May 2026 2:43am GMT

20 May 2026

feedDrupal.org aggregator

Security advisories: Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Project:
Date:
2026-May-20
Vulnerability:
SQL injection
Affected versions:
>= 8.9.0 < 10.4.10 || >= 10.5.0 < 10.5.10 || >= 10.6.0 < 10.6.9 || >= 11.0.0 < 11.1.10 || >= 11.2.0 < 11.2.12 || >= 11.3.0 < 11.3.10
CVE IDs:
CVE-2026-9082
Description:

Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.

This vulnerability can be exploited by anonymous users.

This vulnerability only affects sites using PostgreSQL. However, the dependency updates in this release apply to all sites.

Upstream security advisories

The Drupal releases for supported branches (11.3, 11.2, 10.6, and 10.5) in this advisory also include security updates for Symfony and Twig. Those projects have released important Security Advisories that were coordinated with this Drupal release, and Drupal is affected by some of the vulnerabilities.

Depending on your site configuration and contrib modules, you may be vulnerable to one or more of these upstream issues, so updating these dependencies is highly recommended whether the SQL Injection vulnerability affects you or not. It is also recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules.

Solution:

Install the latest version.

The following releases will be available as soon as automated release packaging is complete. You may receive a 404 in the interim. The updates may also be available on Packagist sooner.

Drupal 11

Drupal 10

Drupal 9 and 8

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.) Due to this issue's severity, the unsupported releases and patches for unsupported versions are provided as a best effort. Those unsupported versions will still have other, previously disclosed security vulnerabilities.

Fixed By:
Coordinated By:

20 May 2026 6:08pm GMT

feedSymfony Blog

CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Parameter Names

Affected versions Symfony versions <5.4.52, >=6, <6.4.40, >=7, <7.4.12, >=8, <8.0.12 of the Symfony MIME component are affected by this security issue. The issue has been fixed in Symfony 5.4.52, 6.4.40, 7.4.12, 8.0.12. Description…

20 May 2026 1:37pm GMT

SymfonyOnline June 2026: Symfony Mate: Real Runtime Context for AI Coding Assistants

The wait is over! SymfonyOnline June 2026 is coming to you live online on June 11-12, 2026, featuring an incredible lineup of expert speakers. This year, we are shaking things up with a brand-new format: one full day dedicated to AI and another full…

20 May 2026 12:30pm GMT

01 Apr 2004

feedPlanet PHP

ezSystems are classy folks

cover
Last week I helped the folks at ezSystems debug some APC problems they were having. The problems ended up being a 64bit architecture problem (they have uber-fast Opterons) and the bug is now fixed in 2.0.3.

Today I received Python & XML from them (off my Amazon wishlist). Thanks guys!

On a side note, my wishlist seems borked. The list I get when I search on my email address or name is not the same one I can edit when I log into the site.

01 Apr 2004 6:53pm GMT

PHP april fools...

1st of April 2004 get's to it's end and I guess it's time, to summarize the recent April fools a bit. Not that I think anyone in the world believes in them, but some were quite funny:

1. Changes to case sensitivity in PHP.
Alan Knowles announced that PHP will change to the studlyCase API and therefor will get everything broken by changing established functions.

2. IBM takes over Zend.
Myself hacked a little article about IBM taking over Zend to make PHP a compete of Java.

3. The first PHP virus has been seen.
Wasn't there one last year, too?

4. PHP has been overtaken by Micro$oft.
Mhhh... a little bit unreliable, if they had been taken over by IBM this morning... Maybe one should first look, what others wrote...

5. And finally, PHP4 and 5 showed their real faces...
Take a look at a phpinfo() output!

I guess I missed some, so feel free to comment on this entry, if you found another!

01 Apr 2004 5:49pm GMT

PHP Virus Attacking Web Hosts

Symantec have a report of the virus here. I've yet to see any of the PHP news sites picking up on it but, using a virtual host account, managed to deliberately expose some PHP scripts to it. From examining the infected scripts, what's disturbing is once infected, every tim...

01 Apr 2004 12:19pm GMT