Filter posts by publication date
This week, Symfony 8.1 was released. In addition, we published dozens of security advisories and released the security updates Symfony 5.4.53, 6.4.41, 7.4.13, 8.0.13, Twig 3.27, Symfony UX 2.36 and 3.1, and Polyfill 1.38.1. We also published more information about the upcoming SymfonyOnline June 2026 conference.
May 31, 2026
#A week of symfony
👍 2
Tobias Nyholm will introduce the Model Context Protocol (MCP), an open specification that lets AI clients discover your app's tools, and demonstrate the new official PHP mcp-sdk co-built by the Symfony AI initiative, showing how easily you can secure routes and leverage Symfony's bundle integration
May 30, 2026
#Conferences
Vincent Amstoutz will explore the practical reality of using AI as an autonomous security researcher to uncover complex injection paths, broken access control, and logic flaws that traditional rulesets miss, giving you a battle-tested strategy to weaponize LLMs against your own technical debt.
May 29, 2026
#Conferences
Symfony 8.1 curated new features
May 29, 2026
#Symfony
❤️ 13
🚀 2
🎉 5
Information exposure via unescaped LIKE wildcards in EntitySearchUtil
May 29, 2026
#Security Advisories
#Symfony UX
👍 1
XSS in symfony/ux-autocomplete via unescaped AJAX response data
May 29, 2026
#Security Advisories
#Symfony UX
XSS in symfony/ux-live-component via attacker-controlled child component tag
May 29, 2026
#Security Advisories
#Symfony UX
Format-less date LiveProps parsed with the permissive DateTime constructor
May 29, 2026
#Security Advisories
#Symfony UX
LiveComponentHydrator HMAC checksum lacks component and slot binding
May 29, 2026
#Security Advisories
#Symfony UX
👍 1
Denial of service in symfony/ux-live-component via unbounded batch action requests
May 29, 2026
#Security Advisories
#Symfony UX
CVE-2026-49215 CSRF Protection Bypass in symfony/ux-live-component: Accept Header is CORS-Safelisted
CSRF Protection Bypass in symfony/ux-live-component: Accept Header is CORS-Safelisted
May 29, 2026
#Security Advisories
#Symfony UX
Guillaume Loulier will show you how to give an AI agent a voice using Symfony AI and the code you already have, tackling hard topics like latency, cost, and debugging so you can walk away with a clear checklist to ship voice features to real users
May 28, 2026
#Conferences
👍 1
Symfony 8.1 improves the DependencyInjection component with lazy env-var autoloading for long-running workers, stack-based service decoration, decorates_tag support, stronger Target integration, and more.
May 28, 2026
#Living on the edge
❤️ 6
👍 7
🚀 6
🎉 4
Dave Liddament will explain how to build a reliable enforcement layer for AI assistant outputs using custom PHPStan rules, covering AST manipulation with nikic/php-parser and teaching you how to turn one-off AI corrections into team-wide invariants.
May 27, 2026
#Conferences
Symfony 8.1 improves JSON handling with support for value objects, better date handling, default options, and custom JsonPath functions.
May 27, 2026
#Living on the edge
❤️ 3
👍 3
🚀 1
🎉 2
Sandbox `__toString()` policy bypass via dynamic mapping keys
May 27, 2026
#Security Advisories
#Twig
Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` filters and via the `in`/`not in` operators
May 27, 2026
#Security Advisories
#Twig
Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`
May 27, 2026
#Security Advisories
#Twig
Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`
May 27, 2026
#Security Advisories
#Twig
Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`
May 27, 2026
#Security Advisories
#Twig
Join Sean Mackay at SymfonyDay Montreal as he breaks down the key Symfony features (Doctrine, Messenger, Events) that transformed Pimcore into a robust, update-friendly platform
May 27, 2026
#Conferences
Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade
May 27, 2026
#Security Advisories
#Symfony
HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on object, applet, iframe, img and the URL Inside meta http-equiv="refresh" content
May 27, 2026
#Security Advisories
#Symfony
UrlGenerator Dot-Segment Encoding Skips Every Other Chained ../ or ./: Generated URL Collapses Off-Route Under RFC 3986 Normalization
May 27, 2026
#Security Advisories
#Symfony
❤️ 1
HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense
May 27, 2026
#Security Advisories
#Symfony
IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
May 27, 2026
#Security Advisories
#Symfony
Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes
May 27, 2026
#Security Advisories
#Symfony
Christopher will tour the official Symfony AI initiative, exploring the Platform component and its uniform API across LLM providers, the Agent component with its multi-agent orchestration, and the Store component for RAG, complete with live demos featuring webcams and a look at the v1 roadmap.
May 26, 2026
#Conferences
symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence
May 26, 2026
#Security Advisories
#Symfony
👍 1
Thomas Durand will explore how to put the CLI at the heart of your development workflow, leveraging the full power of Symfony Console to automate tasks and improve developer productivity
May 26, 2026
#Conferences
Symfony 8.1 improves console input with image pasting, interactive choice questions, answer validation, and raw input forwarding.
May 26, 2026
#Living on the edge
❤️ 16
👍 5
🚀 11
🎉 9
This week, Symfony released 36 security advisories and published security releases 5.4.52, 6.4.40, 7.4.12, 8.0.12, 8.1.0 BETA3 and Twig 3.26.0. We also published an article about how we used Claude Mythos to analyze the Symfony and Twig codebases and uncover many of these security issues. Lastly, we announced that the Symfony UX 2.x branch is now in security-fixes-only maintenance mode and shared more details about the SymfonyOnline June 2026 conference.
May 24, 2026
#A week of symfony
🚀 2
Mathias Arlaud will take a deep dive into the internals of Symfony's HTTP layer to explain the performance implications of how we handle responses and how to optimize your controllers for maximum efficiency
May 22, 2026
#Conferences
Symfony UX 2.x is now in security-only maintenance mode. Going forward, all new features and bug fixes will target Symfony UX 3.x, while security updates for 2.x will continue until January 1, 2027. Learn what this means for existing projects and why now is the right time to plan your upgrade to Symfony UX 3.x.
May 22, 2026
#Other
❤️ 3
🚀 3
Symfony 8.1 improves Messenger with batch fetching, AMQP priorities, smarter retries, and configurable resets.
May 22, 2026
#Living on the edge
❤️ 7
👍 8
🚀 5
🎉 4
Claude Mythos Preview, Anthropic's unreleased model, audited Symfony and Twig code and reported 19 vulnerabilities. All of them turned out to be real.
May 21, 2026
#Symfony
👀 2
❤️ 32
👍 11
🚀 13
🎉 3
Email Header Injection via Non-Token Characters in Mime Parameter Names
May 20, 2026
#Security Advisories
#Symfony
Johannes introduces Symfony Mate, an MCP server that exposes a curated, deterministic view of your running Symfony application (container, services, profiler, logs) to any MCP-aware client
May 20, 2026
#Conferences
🚀 1
Twilio Notifier Webhook Parser Never Verifies the X-Twilio-Signature HMAC: Unauthenticated Webhook Event Injection
May 20, 2026
#Security Advisories
#Symfony
Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection
May 20, 2026
#Security Advisories
#Symfony
SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
May 20, 2026
#Security Advisories
#Symfony
JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits: ReDoS
May 20, 2026
#Security Advisories
#Symfony
Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC: Unauthenticated Webhook Event Injection
May 20, 2026
#Security Advisories
#Symfony
OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
May 20, 2026
#Security Advisories
#Symfony
HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and Misclassification
May 20, 2026
#Security Advisories
#Symfony
UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection
May 20, 2026
#Security Advisories
#Symfony
Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescaped Non-PHP File Rendering
May 20, 2026
#Security Advisories
#Symfony
HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]
May 20, 2026
#Security Advisories
#Symfony
SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix
May 20, 2026
#Security Advisories
#Symfony
YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")
May 20, 2026
#Security Advisories
#Symfony
HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing
May 20, 2026
#Security Advisories
#Symfony
Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
May 20, 2026
#Security Advisories
#Symfony
CVE-2026-45071 XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
May 20, 2026
#Security Advisories
#Symfony
Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address
May 20, 2026
#Security Advisories
#Symfony
HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite: javascript: URI Survives Sanitization (XSS)
May 20, 2026
#Security Advisories
#Symfony
Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay
May 20, 2026
#Security Advisories
#Symfony
Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener
May 20, 2026
#Security Advisories
#Symfony
YAML Parser Stack Exhaustion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings
May 20, 2026
#Security Advisories
#Symfony
Identity Spoofing via Unanchored DN Regex in X509Authenticator
May 20, 2026
#Security Advisories
#Symfony
YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
May 20, 2026
#Security Advisories
#Symfony
CVE-2026-47732 Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
May 20, 2026
#Security Advisories
#Twig
The `spaceless` filter implicitly marks its output as safe
May 20, 2026
#Security Advisories
#Twig
Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled arguments
May 20, 2026
#Security Advisories
#Twig
Sandbox property and method bypass via object-destructuring assignment
May 20, 2026
#Security Advisories
#Twig
PHP code injection via `{% use %}` template name
May 20, 2026
#Security Advisories
#Twig
Sandbox property allowlist bypass via the `column` filter (array_column on objects)
May 20, 2026
#Security Advisories
#Twig
`template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name
May 20, 2026
#Security Advisories
#Twig
XSS in profiler HtmlDumper via unescaped template and profile names
May 20, 2026
#Security Advisories
#Twig
`{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)
May 20, 2026
#Security Advisories
#Twig
HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']`
May 20, 2026
#Security Advisories
#Twig
Sandbox does not protect against resource exhaustion
May 20, 2026
#Security Advisories
#Twig
Arbitrary PHP code execution via `_self.(
May 20, 2026
#Security Advisories
#Twig
Possible sandbox bypass when using a source policy
May 20, 2026
#Security Advisories
#Twig
Twig 3.26.0 released
May 20, 2026
#Releases
#Security Advisories
#Twig
❤️ 2
🚀 3
Learn with Arnaud Oltra where to start without breaking everything. An honest retrospective full of real-world constraints, false good ideas, and practical migration tips! 🙌
May 19, 2026
#Conferences
Symfony 8.1 improves the Validator component with new constraints, Clock support, and reentrant validators.
May 19, 2026
#Living on the edge
❤️ 1
👍 8
🚀 3
🎉 3
Join Nicolas Grekas to learn advanced techniques for adjusting your app's behavior on the fly! 🍁
May 18, 2026
#Conferences
👀 1
Symfony 8.1 improves the request payload mapper with support for uploaded files inside DTOs, variadic arguments, empty payloads, and dynamic validation groups.
May 18, 2026
#Living on the edge
❤️ 7
👍 5
🚀 5
🎉 6
This week, Symfony published maintenance versions 6.4.39, 7.4.11, and 8.0.11. In addition, we announced the second beta release of Symfony 8.1. Finally, we shared the schedule for the SymfonyOnline June 2026 conference and more details about SymfonyDay Montreal 2026.
May 17, 2026
#A week of symfony
Robin Chalas will demonstrate how Symfony 8 leverages modern PHP to make hexagonal architecture and DDD patterns practical and natural, allowing you to build scalable applications that put your business logic first!
May 15, 2026
#Conferences
Symfony 8.1 improves translations with broader XLIFF support, more flexible locale configuration, and better placeholder handling.
May 14, 2026
#Living on the edge
❤️ 6
👍 5
🚀 3
🎉 3