Drupal.org aggregatorKeyword search struggles with natural language and exploratory questions. Daniel walked the DrupalSouth 2026 audience through how OpenSearch and Skpr enable semantic search that understands intent and meaning, and how Retrieval-Augmented Generation (RAG) transforms results into clear, human-friendly answers grounded in your actual content.
21 May 2026 3:00am GMT
Drupal.org aggregatorDrupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.
A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.
This vulnerability can be exploited by anonymous users.
This vulnerability only affects sites using PostgreSQL. However, the dependency updates in this release apply to all sites.
The Drupal releases for supported branches (11.3, 11.2, 10.6, and 10.5) in this advisory also include security updates for Symfony and Twig. Those projects have released important Security Advisories that were coordinated with this Drupal release, and Drupal is affected by some of the vulnerabilities.
Depending on your site configuration and contrib modules, you may be vulnerable to one or more of these upstream issues, so updating these dependencies is highly recommended whether the SQL Injection vulnerability affects you or not. It is also recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules.
Install the latest version.
The following releases will be available as soon as automated release packaging is complete. You may receive a 404 in the interim. The updates may also be available on Packagist sooner.
Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.) Due to this issue's severity, the unsupported releases and patches for unsupported versions are provided as a best effort. Those unsupported versions will still have other, previously disclosed security vulnerabilities.
20 May 2026 6:08pm GMT
Recently, I contributed an AI-powered Schema.org JSON-LD module to Drupal that uses AI automators to generate Schema.org JSON-LD, building a knowledge graph that improves SEO/AEO by making it easier for machines to understand your website. The module was built with AI in 4 days, whereas the Schema.org Blueprints module with a similar goal took 4 years. I have been so shocked by how efficiently AI can code and build software that I realized, "AI ate my work, and I need to be okay with that." I wrote about how I am adjusting to this new "AI" normal.
A slightly different reckoning is unfolding for our websites because AI is consuming our content, thereby reducing traffic. Providing Schema.org JSON-LD is one way to feed the machines. AIs are becoming the front page of most websites. To adapt to this new "AI" normal, where an AI is the gatekeeper to your website, we need to evolve our approach to building and managing our websites.
Adaptation
Personally, "adaptation" feels like the right word to describe the challenge and change we, developers, site builders, managers, and owners, are facing right now. Adaptation is forced upon us by external constraints or opportunities, depending on your point of view, to evolve our approach to building and sharing information. There is a much larger discussion about the impact of AI on who we are, what we are building, and how we build. For now, I want to focus on what Drupal-built websites need to consider to adapt and keep up with the rapidly evolving digital landscape, which is largely out of our control.
Out of our control
How AIs are consuming our websites is out of our control. If you look back at how websites continually bent and tweaked to get a bump in page ranking, implementing now-defunct things like AMP (Accelerated Mobile Pages) because Google told us to,...Read More
20 May 2026 2:47pm GMT
Symfony BlogAffected versions Symfony versions <5.4.52, >=6, <6.4.40, >=7, <7.4.12, >=8, <8.0.12 of the Symfony MIME component are affected by this security issue. The issue has been fixed in Symfony 5.4.52, 6.4.40, 7.4.12, 8.0.12. Description…
20 May 2026 1:37pm GMT
The wait is over! SymfonyOnline June 2026 is coming to you live online on June 11-12, 2026, featuring an incredible lineup of expert speakers. This year, we are shaking things up with a brand-new format: one full day dedicated to AI and another full…
20 May 2026 12:30pm GMT
Affected versions Symfony versions >=6.4, <6.4.40, >=7.0, <7.4.12, >=8.0, <8.0.12 of the Symfony Lox24 Notifier and Symfony Mailjet Mailer components are affected by this security issue. The issue has been fixed in Symfony 6.4.40, 7.4.12,…
20 May 2026 10:56am GMT
Planet PHP
Last week I helped the folks at ezSystems debug some APC problems they were having. The problems ended up being a 64bit architecture problem (they have uber-fast Opterons) and the bug is now fixed in 2.0.3.
Today I received Python & XML from them (off my Amazon wishlist). Thanks guys!
On a side note, my wishlist seems borked. The list I get when I search on my email address or name is not the same one I can edit when I log into the site.
01 Apr 2004 6:53pm GMT
1st of April 2004 get's to it's end and I guess it's time, to summarize the recent April fools a bit. Not that I think anyone in the world believes in them, but some were quite funny:
1. Changes to case sensitivity in PHP.
Alan Knowles announced that PHP will change to the studlyCase API and therefor will get everything broken by changing established functions.
2. IBM takes over Zend.
Myself hacked a little article about IBM taking over Zend to make PHP a compete of Java.
3. The first PHP virus has been seen.
Wasn't there one last year, too?
4. PHP has been overtaken by Micro$oft.
Mhhh... a little bit unreliable, if they had been taken over by IBM this morning... Maybe one should first look, what others wrote...
5. And finally, PHP4 and 5 showed their real faces...
Take a look at a phpinfo() output!
I guess I missed some, so feel free to comment on this entry, if you found another!
01 Apr 2004 5:49pm GMT
Symantec have a report of the virus here. I've yet to see any of the PHP news sites picking up on it but, using a virtual host account, managed to deliberately expose some PHP scripts to it. From examining the infected scripts, what's disturbing is once infected, every tim...
01 Apr 2004 12:19pm GMT