Flux
Toutes les catégories

Programmation

1475 articles

CVE-2026-48807: Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and `in`/`not in` operators
Programmation Web

CVE-2026-48807: Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and `in`/`not in` operators

Affected versions Twig versions <=3.26.0 are affected by this security issue. The issue has been fixed in Twig 3.27.0. Description This is a residual bypass of CVE-2026-47732 / GHSA-pr2w-4gpj-cpq4 left after the initial fix for unguarded __toString()…

Symfony Blog
CVE-2026-46636: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders
Programmation Web

CVE-2026-46636: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders

Affected versions Twig versions <=3.26.0 are affected by this security issue. The issue has been fixed in Twig 3.27.0. Description The per-template filter, tag and function allow-list check is compiled into the checkSecurity() method of each Template…

Symfony Blog
CVE-2026-48805: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`
Programmation Web

CVE-2026-48805: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`

Affected versions Twig versions <=3.26.0 are affected by this security issue. The issue has been fixed in Twig 3.27.0. Description The 3.26.0 source-policy hardening changed the signature of CoreExtension::checkArrow() to take a boolean $isSandboxed…

Symfony Blog
CVE-2026-48808: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`
Programmation Web

CVE-2026-48808: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`

Affected versions Twig versions <=3.26.0 are affected by this security issue. The issue has been fixed in Twig 3.27.0. Description This is a residual bypass of CVE-2026-46635 / GHSA-vcc8-phrv-43wj that only affects sandboxing enabled through SourcePolicyInterface…

Symfony Blog
OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI
Cybersécurité Programmation

OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI

OSV, the OpenSSF-backed vulnerability database, withdrew 157 malicious-package reports on May 26 after automated detections incorrectly flagged npm and PyPI packages as malware, pushing bad records for trusted projects into OSV-consuming security tools and CI/CD systems. The rollback happened in OpenSSF’s malicious-packages repository, where OSV-format records for malicious packages are maintained. A PR titled “Withdraw FastAPI v0.136.3 and other FPs reports,” began with a false-positive…

Socket
The PHP Foundation Impact and Transparency Report 2025
Programmation Web

The PHP Foundation Impact and Transparency Report 2025

Executive Summary PHP turned 30 in 2025. With The PHP Foundation's support, the PHP project marked the year by shipping PHP 8.5. The PHP Foundation also launched PIE 1.0, initiated a project to modernize PHP's stream layer, and authored roughly 42% of all commits to PHP's core. This work was supported by 536 sponsors and individual contributors, and it could not have happened without them. At the end of 2025, The PHP Foundation consisted of 8 volunteer board members, an Executive Director…

The PHP Foundation
The pressure
IA Programmation

The pressure

The pressure Daniel Stenberg on the unprecedented level of pressure the curl team are facing right now thanks to the deluge of (credible) AI-assisted security issues being reported. The rate of incoming security reports is 4-5 times higher than it was in 2024 and double the speed of 2025 -- meaning that on average we now get more than one report per day. The quality is way higher than ever before. The reports are typically very detailed and long. [...] For the first time in my life, my wife…

Simon Willison's Weblog
Microsoft Copilot Cowork Exfiltrates Files
IA Programmation

Microsoft Copilot Cowork Exfiltrates Files

Microsoft Copilot Cowork Exfiltrates Files The biggest challenge in designing agentic systems continues to be preventing them from enabling attackers to exfiltrate data. In this case Microsoft Copilot Cowork (yes, that's a real product name) was allowing agents to send emails to the user's own inbox without approval... but those messages were then displayed in a way that could leak data to an attacker via rendered images: Because these messages can contain external images that trigger network…

Simon Willison's Weblog
Quoting Paul Graham
IA Programmation

Quoting Paul Graham

A lot of the emails I get from founders are now written in a hard-hitting journalistic style. I know they're written by AI, because no founder ever wrote this way before. And once you realize something is written by AI, it's hard not to ignore it. I have never knowingly finished reading an email signed by a human but written by AI. It feels like being lied to, and who would stand for that? [...] It makes me think less of the author. It means they can't write well unaided (or feel they can't),…

Simon Willison's Weblog