18 Jun 2026

feedSymfony Blog

SymfonyDay Montreal 2026: A memorable day, un grand merci à tous ! 🍁

SymfonyDay Montreal 2026 is officially a wrap, and what an incredible edition it was on June 4th! A full day packed with inspiring conferences, deep-dive tech insights, and above all, the immense joy of bringing the local Symfony community together.…

18 Jun 2026 12:30pm GMT

feedDrupal.org aggregator

DrupalCon News & Updates: Why DrupalCon Rotterdam Is Worth Attending

DrupalCon Rotterdam is one of those events that naturally attracts attention across the Drupal ecosystem. Not only because it brings the community together, but because it creates a space where technology, strategy, contribution and real-world digital projects meet.

For anyone working with Drupal, open source or digital experience platforms, the question is not just "what happens at DrupalCon?", but it might be: "If you have never been before, why should this be the year to go?"

Photo by PdJohnson

Photo by Joris Vercammen


Why Rotterdam?

Rotterdam feels like a strong fit for an event like DrupalCon. It is a city known for innovation, architecture, international connections and a forward-looking mindset - qualities that align naturally with the spirit of the Drupal community.

Bringing DrupalCon to Rotterdam creates an opportunity to connect the European Drupal community in a dynamic and accessible setting. It also gives professionals from different markets the chance to meet, exchange perspectives and discuss how Drupal continues to evolve in a fast-changing digital landscape.


Learning from real experience

One of the strongest reasons to attend DrupalCon is the quality of the knowledge shared by the community.

This is not only about product updates or technical presentations, It is about learning from people who are building, maintaining and improving digital platforms in real contexts, often with complex requirements, long-term governance needs and ambitious user experience goals.

From technical sessions to strategic case studies, DrupalCon gives attendees access to practical insight that is difficult to get from documentation alone.


Meeting the community behind Drupal

Drupal has always been more than a content management system; It is an open-source project supported by a global network of contributors, companies and professionals.

For someone who has never attended before, this is one of the most compelling reasons to go: Online discussions, issue queues and documentation are valuable, but meeting people face to face adds a different layer to the experience.

Conversations during sessions, between talks or at community events can lead to new ideas, partnerships and a better understanding of how others approach similar challenges.

Photo by Matthew Saunders

Photo by Matthew Saunders


Inspiration beyond the technical track

DrupalCon is also a place to see what organisations are doing with Drupal today.

Real-world examples often show the platform's value more clearly than feature lists. They reveal how Drupal is being used to support public sector platforms, media websites, higher education, enterprise ecosystems, multilingual content, accessibility requirements and complex editorial workflows.

That is why DrupalCon is relevant beyond development, project managers, designers, UX professionals, marketers, content teams and business leaders can all find useful perspectives on delivery, governance, accessibility, platform strategy and the role of open source in long-term digital transformation.


Why attend for the first time?

Attending DrupalCon for the first time is a way to move from observing the community to being part of it.

It is an opportunity to learn from experienced professionals, understand the direction of the platform, discover practical use cases and build connections that can continue long after the event ends.

DrupalCon Rotterdam represents more than another event in the digital calendar, It is a chance to understand Drupal through the people and projects that keep it moving forward.

For a first-time attendee, that may be the strongest reason to go.

Because sometimes the best way to understand the value of a community is not to read about it from the outside. It is to be in the room where that community comes together.


See you there?
Register now!


- Article by Daniela Moreira

18 Jun 2026 5:32am GMT

17 Jun 2026

feedDrupal.org aggregator

Security advisories: Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009

Project:
Drupal core
Date:
2026-June-17
Security risk:
Moderately critical 11β€‰βˆ•β€‰25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon
Vulnerability:
Improper validation
Affected versions:
<10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.*
CVE IDs:
CVE-2026-55808
Description:

The JSON:API and REST modules allow you to upload image files to image fields.

The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image.

Certain web-server configurations may serve the uploaded file with its actual MIME type rather than an image type. This may lead to cross-site scripting (XSS) or other unexpected behavior.

Solution:

Install the latest version:

Drupal 11

Drupal 10

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By:
Fixed By:
Coordinated By:

17 Jun 2026 6:58pm GMT

Security advisories: Drupal core - Moderately critical - Server-side request forgery - SA-CORE-2026-008

Project:
Drupal core
Date:
2026-June-17
Security risk:
Moderately critical 10β€‰βˆ•β€‰25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default
Vulnerability:
Server-side request forgery
Affected versions:
<10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.*
CVE IDs:
CVE-2026-55807
Description:

The Media module comes with support for oEmbed. The oEmbed specification contains two discovery mechanisms, via providers.json and via URL discovery.

The URL discovery code could be leveraged to trick Drupal into making server-side requests to any URL.

Solution:

Install the latest version:

Drupal 11

Drupal 10

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Required site changes for URL discovery

Most users of the oEmbed functionality in Drupal likely use providers.json to define known providers (such as YouTube and Vimeo) for embedding content.

If you are using URL discovery, you now need to set a list of trusted oEmbed discovery hosts in settings.php.

This is an array containing a series of regular expressions for matching host names for discovery. It follows the same pattern as the existing trusted hosts settings.

Example:

// Only allow URL discovery from example.com.
$settings['media_oembed_discovery_trusted_host_patterns'] = [
  '^example\.com$',
];
Reported By:
Fixed By:
Coordinated By:

17 Jun 2026 6:57pm GMT

feedSymfony Blog

New in Twig 4.0: Expression Parsers

Contributed by Fabien Potencier in #4543 ,…

17 Jun 2026 11:47am GMT

16 Jun 2026

feedSymfony Blog

Symfony: The Fast Track, now in nine languages

Earlier this week, I announced the Symfony 8.1 edition of The Fast Track. If you made it to the end of that post, you read that the book was available in five languages. That line is already out of date, and I could not be happier about it. The Symfony 8.1…

16 Jun 2026 8:49am GMT

01 Apr 2004

feedPlanet PHP

ezSystems are classy folks

cover
Last week I helped the folks at ezSystems debug some APC problems they were having. The problems ended up being a 64bit architecture problem (they have uber-fast Opterons) and the bug is now fixed in 2.0.3.

Today I received Python & XML from them (off my Amazon wishlist). Thanks guys!

On a side note, my wishlist seems borked. The list I get when I search on my email address or name is not the same one I can edit when I log into the site.

01 Apr 2004 6:53pm GMT

PHP april fools...

1st of April 2004 get's to it's end and I guess it's time, to summarize the recent April fools a bit. Not that I think anyone in the world believes in them, but some were quite funny:

1. Changes to case sensitivity in PHP.
Alan Knowles announced that PHP will change to the studlyCase API and therefor will get everything broken by changing established functions.

2. IBM takes over Zend.
Myself hacked a little article about IBM taking over Zend to make PHP a compete of Java.

3. The first PHP virus has been seen.
Wasn't there one last year, too?

4. PHP has been overtaken by Micro$oft.
Mhhh... a little bit unreliable, if they had been taken over by IBM this morning... Maybe one should first look, what others wrote...

5. And finally, PHP4 and 5 showed their real faces...
Take a look at a phpinfo() output!

I guess I missed some, so feel free to comment on this entry, if you found another!

01 Apr 2004 5:49pm GMT

PHP Virus Attacking Web Hosts

Symantec have a report of the virus here. I've yet to see any of the PHP news sites picking up on it but, using a virtual host account, managed to deliberately expose some PHP scripts to it. From examining the infected scripts, what's disturbing is once infected, every tim...

01 Apr 2004 12:19pm GMT