Security Bulletins
These are security bulletins released by the Neos project. You can also keep yourself updated by following the PHP Security Advisories Database. We recommend using a tool like roave/security-advisories or Local PHP Security Checker to check against that database.
If you discover a security issue with Neos, Flow or a related package, please contact us via security (at) neos.io instead of using a public channel. That way we can work on a fix together before everyone knows how to exploit a potential issue. Thank you!
Neos
- XSS in various backend modules (May, 2022)
- Information Disclosure Security Note (June, 2019)
- XSS vulnerabilities in Neos (Nov 23, 2015)
- Privilege Escalation in TYPO3 Neos (Mar 28, 2015)
Flow
- Fluid Templating Engine Vulnerability (May, 2019)
- PHP YAML vulnerability (Jul 12th, 2018)
- Bugfix Releases for Entity Security (Apr 12th, 2017)
- Security fix for Flow Swift Mailer package (Jan 6, 2017)
- Time-Based Information Disclosure Vulnerability in Flow (Nov 1, 2016)
- Arbitrary file upload and XML External Entity processing (Nov 23, 2015)
- Cross-Site Scripting in TYPO3 Flow (Dec 10, 2013)
- Insecure Unserialize Vulnerability in FLOW3 (Mar 28, 2012)