20 May 2026
Symfony Blog
CVE-2026-47732: Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
Affected versions Twig versions <=3.25.0 are affected by this security issue. The issue has been fixed in Twig 3.26.0. Description SandboxNodeVisitor enforces SecurityPolicy::checkMethodAllowed() for implicit __toString() calls by wrapping selected…
20 May 2026 10:30am GMT
CVE-2026-46634: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name
Affected versions Twig versions >=3.9.0, <3.26.0 are affected by this security issue. The issue has been fixed in Twig 3.26.0. Description When the sandbox is enabled selectively via SourcePolicyInterface (and not globally), a sandboxed template…
20 May 2026 10:29am GMT
CVE-2026-46629: Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled arguments
Affected versions Twig versions <3.26.0 of the Twig Intl Extra component are affected by this security issue. The issue has been fixed in Twig 3.26.0. Description IntlExtension memoises every \IntlDateFormatter and \NumberFormatter it creates in instance-level…
20 May 2026 10:29am GMT
Drupal.org aggregator
Dries Buytaert: Why Drupal CMS matters
Last week at Drupal South, Pamela Barone delivered a keynote on Drupal CMS. Her talk is one of the clearest articulations I've seen of what Drupal CMS is, why it exists, and where it's headed. That shouldn't come as a surprise because Pam is the Product Lead for Drupal CMS.
Pam quoted a familiar Drupal saying: Drupal makes hard things possible, but it also makes easy things hard.
. The room laughed because it's true.
Her keynote makes the case that Drupal CMS is making Drupal easier across the board: visual page editing, a gentler on ramp for new developers, and project economics that finally work for smaller budgets. Larger organizations such as universities, governments, and Fortune 2000 companies want those same advantages, which is why Drupal CMS matters at every scale.
Pam also explains how Drupal CMS sits on top of Drupal Core, why it is not a Drupal distribution, how it gives digital agencies leverage, what site templates unlock, and how Drupal Canvas reshapes the page building experience.
If you watch one Drupal video this week, make it Pam's!
20 May 2026 12:20am GMT
19 May 2026
Drupal.org aggregator
Freelock Blog: Your Website Will Be Attacked. Here's How We Make Sure You Survive It.
Your Website Will Be Attacked. Here's How We Make Sure You Survive It.
19 May 2026 4:00pm GMT
Drupal Association blog: Drupal Association secures Alpha-Omega grant to future-proof Open-Source Security for the AI Era.
We are proud to share that the Drupal Association has been awarded a grant from the Alpha-Omega Project, a project of The Linux Foundation, which seeks to help open source projects identify and mitigate security vulnerabilities.
As AI-generated commits and AI-driven security threats become the norm, open-source ecosystems must evolve rapidly. This funding directly strengthens the already mature Drupal Security Team, ensuring our core ecosystem is hardened against the modern, AI-age vulnerabilities.
The funding provided by Alpha-Omega will enable the Drupal Security Team to build the program we need to stay ahead in this fast moving environment. Drupal's already excellent security position will be even better going forward.
~ Tim Doyle, CEO at Drupal Association.
Security has been a defining pillar of the Drupal ecosystem. This collaboration with the Alpha-Omega Project underscores our ongoing commitment to open-source resilience, solidifying Drupal's position as the gold standard for secure enterprise content management.
Drupal is, and will continue to be, one of the most secure CMS platforms in the world.
19 May 2026 3:27pm GMT
01 Apr 2004
Planet PHP
ezSystems are classy folks
Last week I helped the folks at ezSystems debug some APC problems they were having. The problems ended up being a 64bit architecture problem (they have uber-fast Opterons) and the bug is now fixed in 2.0.3.
Today I received Python & XML from them (off my Amazon wishlist). Thanks guys!
On a side note, my wishlist seems borked. The list I get when I search on my email address or name is not the same one I can edit when I log into the site.
01 Apr 2004 6:53pm GMT
PHP april fools...
1st of April 2004 get's to it's end and I guess it's time, to summarize the recent April fools a bit. Not that I think anyone in the world believes in them, but some were quite funny:
1. Changes to case sensitivity in PHP.
Alan Knowles announced that PHP will change to the studlyCase API and therefor will get everything broken by changing established functions.
2. IBM takes over Zend.
Myself hacked a little article about IBM taking over Zend to make PHP a compete of Java.
3. The first PHP virus has been seen.
Wasn't there one last year, too?
4. PHP has been overtaken by Micro$oft.
Mhhh... a little bit unreliable, if they had been taken over by IBM this morning... Maybe one should first look, what others wrote...
5. And finally, PHP4 and 5 showed their real faces...
Take a look at a phpinfo() output!
I guess I missed some, so feel free to comment on this entry, if you found another!
01 Apr 2004 5:49pm GMT
PHP Virus Attacking Web Hosts
Symantec have a report of the virus here. I've yet to see any of the PHP news sites picking up on it but, using a virtual host account, managed to deliberately expose some PHP scripts to it. From examining the infected scripts, what's disturbing is once infected, every tim...
01 Apr 2004 12:19pm GMT