This release includes 2 security fixes for security teams reviewing exposed deployments.
Topics
Affected surfaces
ReleasePort's take
Moderate signalVersion 9.5.2 updates third‑party libraries and hardens unserialize() calls to block PHP Object Injection.
Why it matters: Security fixes close vulnerabilities in twig/twig, symfony/yaml, and enforce allowed_classes on unserialize(), mitigating injection risks across all deployments.
Summary
AI summaryUpdates Bug Fixes, Security Fixes, and Behavioral Improvements across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Critical |
Updated third party composer libraries to close out new security vulnerabilities (twig/twig, symfony/yaml). Updated third party composer libraries to close out new security vulnerabilities (twig/twig, symfony/yaml). Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Security | Critical |
Added allowed_classes parameter to unserialize() calls in Permission, Cache, Search to prevent PHP Object Injection. Added allowed_classes parameter to unserialize() calls in Permission, Cache, Search to prevent PHP Object Injection. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Security | Critical |
Added allowed_classes parameter to unserialize() calls in Workflow, Form blocks, and File/Set to prevent PHP Object Injection. Added allowed_classes parameter to unserialize() calls in Workflow, Form blocks, and File/Set to prevent PHP Object Injection. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Feature | Low |
Added `on_package_test_for_uninstall`, `on_before_package_uninstall`, and `on_after_package_uninstall` events for developers. Added `on_package_test_for_uninstall`, `on_before_package_uninstall`, and `on_after_package_uninstall` events for developers. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Bugfix | Medium |
Restored old behavior: custom template missing renders default view instead of nothing. Restored old behavior: custom template missing renders default view instead of nothing. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Bugfix | Medium |
Fixed misplaced closing anchor tag in calendar event date output. Fixed misplaced closing anchor tag in calendar event date output. Source: llm_adapter@2026-06-02 Confidence: high |
— |
Full changelog
Behavioral Improvements
- Page attributes are now grouped by set in the Composer Add Form Control dialog.
Bug Fixes
- Advanced board templates that used the
$summaryObjectvariable within them should now work again. - Restored old behavior where if a block used a custom template, but that custom template actually didn’t exist in the filesystem, the block would not render anything. Now it renders the default view (as it used to.)
- Fixed: In the date output of a calendar event there was a closing anchor tag which appears to be out of place (thanks danklassen)
Developer Updates
- Added
on_package_test_for_uninstall,on_before_package_uninstallandon_after_package_uninstallevents.
Security Fixes
- Updated third party composer libraries to close out new security vulnerabilities in our upstream dependencies like twig/twig, symfony/yaml, and others.
- add allowed_classes to unserialize() in Permission, Cache, and Search to prevent PHP Object Injection (thanks XananasX7)
- security: add allowed_classes to unserialize() in Workflow, Form blocks, and File/Set(thanks XananasX7)
Security Fixes
- Added allowed_classes to unserialize() in Permission, Cache, Search, Workflow, Form blocks, and File/Set to prevent PHP Object Injection
- Updated third‑party composer libraries (twig/twig, symfony/yaml) to close new security vulnerabilities
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]