These are security bulletins released by the Neos project. You can also keep yourself updated by following the SensioLabs Vulnerability database.
If you discover a security issue with Neos, Flow or a related package, please contact us via security (at) neos.io instead of using a public channel. That way we can work on a fix together before everyone knows how to exploit a potential issue. Thank you!
- Bugfix Releases for Entity Security (Apr 12th, 2017)
- Security fix for Flow Swift Mailer package (Jan 6, 2017)
- Time-Based Information Disclosure Vulnerability in Flow (Nov 1, 2016)
- Arbitrary file upload and XML External Entity processing (Nov 23, 2015)
- Cross-Site Scripting in TYPO3 Flow (Dec 10, 2013)
- Insecure Unserialize Vulnerability in FLOW3 (Mar 28, 2012)